MD5: 58a30ac6f6f5272cfefbe661d5dc9705
SHA1: ae6080d979d673156cc89a99c09603d71af139ac
SHA256: 471b1c39b74625cf7540f2b26d09bcd83c675c92b0609bccbf5693fa7fcace9c
SSDeep: 768:b3Jqz PVl6ZTtL5KKLyxQRDg6SbG6qYUOxtimw8/fLFXB4lMGB3yLUK2k:w6dl6ZTDLEQRDg6ksYUOnij8u7Cn
Size: 60928 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-08-19 05:07:51
Analyzed on: WindowsXP SP3 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Process activity

The Virus creates the following process(es):

dwwin.exe:264
%original file name%.exe:872

The Virus injects its code into the following process(es):

qibrizy.cmd:1012

File activity

The process dwwin.exe:264 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\12261E.dmp (78635 bytes)

The process qibrizy.cmd:1012 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%System%\WindowsUpdt.exe (19 bytes)

The process %original file name%.exe:872 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrbyri.rqzq.ajq (60 bytes)
%WinDir%\xwrm.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1e7d_appcompat.txt (6214 bytes)

Registry activity

The process dwwin.exe:264 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 99 2F 00 39 7E C2 49 E6 47 76 43 D2 68 98 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process qibrizy.cmd:1012 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 70 B2 A9 A6 7B 81 27 50 AF 5B 3E B2 04 A9 C2"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"

The process %original file name%.exe:872 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 E4 C2 A6 E6 FE 6F 5B DE DC 07 B4 DC A5 FD D7"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

The Virus deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Virus deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 3
ET CHAT IRC PONG response

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

\xwrm.exe

%WinDir%\xwrm.exe

Software\Microsoft\Windows\CurrentVersion\Run

USER %s 8 * :%s

NICK %s

PONG %s

JOIN #england

PRIVMSG #england :.-:[X-Worm]:-.

irc.undernet.org

MAIL FROM:<%s>

RCPT TO:<%s>

--%s--

From:<%s>

To: %s

Subject:%s

boundary="%s"

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

charset="windows-1255"

name= "%s%s"

Content-Disposition: attachment; filename="%s%s"

Support

No.reply

8.txtt:

8.htmt2

8.rtft*

8.doct"

8.bdxt

8.phpt

8.jspt

8.cgit

smtp

ws2_32.dll

ADVAPI32.DLL

RegOpenKeyExA

RegCloseKey

User32.dll

handle.exe

arnsec.exe

ISABL~1.EXE

8.exe

8.scrtt

8.avitJ

8.doctB

8.mp3t:

8.mpgt2

8.xlst*

8.jpgt"

8.zipt

8.isot

8.pdft

8.pptt

8.rart

D:\handle.exe

SFC.DLL

Pibyqya.jqir

D:\ibyqya.jqir

ReadMe.exe

c:\%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\jrbyri.rqzq.ajq

WinExec

GetWindowsDirectoryA

FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj

qibrizy.cmd

.text

.rsrc

gu>%uM

~nt.ex

CrToMaPh

hPRIVMSG %s :

kernel32.dll

.%suld nb

KERNEL32.dll

2'3.3`3}3

0M1e1w1}1-2x2

qibrizy.cmd_1012:

.text

.rsrc

\WindowsUpdt.exe

irc.undernet.org

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

GetCPInfo

url1.dat

PRIVMSG %s :Operations Stoped

PRIVMSG %s :Wasting %s

PRIVMSG %s :Udp Floding %s

-!udp_flood

PRIVMSG %s :%s Downloaded&executed

1.exe

-!download_exe

PRIVMSG %s :Login Success

-!login

PRIVMSG

%*s %s %*s %s %s %s

MODE %s  nsk %s

JOIN %s %s

PONG %s

NICK %s

USER %s 8 * :%s

Software\Microsoft\Windows\CurrentVersion\Run

1209189108

D:\qibrizy.cmd

kernel32.dll

.%suld nb

qibrizy.cmd_1012_rwx_00401000_0000F000:

\WindowsUpdt.exe

irc.undernet.org

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

GetCPInfo

url1.dat

PRIVMSG %s :Operations Stoped

PRIVMSG %s :Wasting %s

PRIVMSG %s :Udp Floding %s

-!udp_flood

PRIVMSG %s :%s Downloaded&executed

1.exe

-!download_exe

PRIVMSG %s :Login Success

-!login

PRIVMSG

%*s %s %*s %s %s %s

MODE %s  nsk %s

JOIN %s %s

PONG %s

NICK %s

USER %s 8 * :%s

Software\Microsoft\Windows\CurrentVersion\Run

1209189108

D:\qibrizy.cmd

kernel32.dll

.%suld nb

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   dwwin.exe:264
   %original file name%.exe:872

2. Delete the original Virus file.
   
3. Delete or disinfect the following files created/modified by the Virus:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\12261E.dmp (78635 bytes)
   %System%\WindowsUpdt.exe (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\jrbyri.rqzq.ajq (60 bytes)
   %WinDir%\xwrm.exe (60 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\1e7d_appcompat.txt (6214 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "WihdowsUpdate" = "%System%\WindowsUpdt.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "x32x" = "%WinDir%\xwrm.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.