Virus.Win32.Sality_3fb7de1fb8
Trojan-Dropper.Win32.Agent.hjne (Kaspersky), Virus.Win32.Sality.ah (v) (VIPRE), Worm.Win32.AutoRun!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, Worm.Win32.Dorkbot.FD, GenericUSBInfector.YR, GenericProxy.YR, GenericSYNFlooder.YR, GenericUDPFlooder.YR, GenericDNSBlocker.YR, GenericMSNWorm.YR, GenericIRCBot.YR, GenericAutorunWorm.YR, VirusSality.YR, WormDorkbot.YR, GenericPhysicalDrive0.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Banker, Trojan, Backdoor, Flooder, Worm, Virus, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 3fb7de1fb8c0321c40f18c16eb07a149
SHA1: 3d2bcb7454f8efd6a623f06cef3dbb19d9301ab8
SHA256: 4fc8076aa1a16d11e2a386edf2b01829efb490d2b007c29e0591a30559aeaf68
SSDeep: 3072:njjVNMdCIlMj2g/jkKZCAqgixX5IboQvrcWCZmAN6JOGLsOFSER /zOBUs3qjsxX:n9NMkmWLk2FqgAJITs6gG4OzQ/6Gj2Y
Size: 363520 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-04-13 17:05:59
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
| UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
| SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
| USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Virus creates the following process(es):
3fb7de1fb8c0321c40f18c16eb07a149.exe:47152
3fb7de1fb8c0321c40f18c16eb07a149.exe:47108
notepad.exe:8900
NOTEPAD.EXE:48176
NOTEPAD.EXE:48148
NOTEPAD.EXE:47648
NOTEPAD.EXE:47468
NOTEPAD.EXE:47616
netsh.exe:464
The Virus injects its code into the following process(es):
3fb7de1fb8c0321c40f18c16eb07a149.exe:548
mspaint.exe:47164
File activity
The process 3fb7de1fb8c0321c40f18c16eb07a149.exe:548 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
D:\disablejavawarnsec.exe (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winygar.exe (601 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
The Virus deletes the following file(s):
D:\b3b5d (0 bytes)
C:\b3746 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winygar.exe (0 bytes)
The process 3fb7de1fb8c0321c40f18c16eb07a149.exe:47108 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (2105 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (2105 bytes)
The process mspaint.exe:47164 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe (2105 bytes)
The Virus deletes the following file(s):
C:\3fb7de1fb8c0321c40f18c16eb07a149.exe (0 bytes)
Registry activity
The process 3fb7de1fb8c0321c40f18c16eb07a149.exe:47152 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 C8 FF C9 8E 4A 20 4F 90 94 5F 3B 20 62 57 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process 3fb7de1fb8c0321c40f18c16eb07a149.exe:548 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a4_0" = "0"
[HKCU\Software\adm914]
"a1_0" = "2609372744"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0600687474703A2F2F72656D61646F6E2E64652F6C6F676F732E67696600687474703A2F2F636F6E6E656374696E6764657374696E6174696F6E732E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6D616365646F6E69612E6D79312E72752F6D61696E682E67696600687474703A2F2F656C617377616E792E636F6D2F6C6F676F732E67696600687474703A2F2F65646D61747269782E75732F696D616765732F6D61696E662E67696600687474703A2F2F616472656E616C696E2E636F6D2E74722F696D616765732F6C6F676F732E676966"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"7169121" = "55"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "222"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 99 67 95 6B D4 1F FE 3A FA 03 EA C6 1E 69 4A"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\adm914]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"50183847" = "7C67AF69FA1918A6CCB3A9D14C81D0B4E9330D0A41EEDA93432049E79EDFEE6AF904E6A1FF6AB716DCFA6EE6DBD3E4904B880341202D0399543E2C1830BFA4FC9B1B3A65BF98DF47A2E0D4E7C25542872DD801CE2CC737BCFFE9B2FC4AF20945AF09EF6CB77B3A2364548FFDB10E3993BBBD65D22686D6369049EA7E011E6B7F"
[HKCU\Software\adm914]
"a2_0" = "7221"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"3fb7de1fb8c0321c40f18c16eb07a149.exe" = "c:\3fb7de1fb8c0321c40f18c16eb07a149.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The process 3fb7de1fb8c0321c40f18c16eb07a149.exe:47108 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 0C 70 09 95 64 37 D7 84 50 68 B7 AD FA FB 0E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
The process notepad.exe:8900 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C D6 61 31 14 54 C5 78 58 79 43 98 AC 58 E8 0C"
The process mspaint.exe:47164 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 D1 94 BF 52 6E BF 84 B7 75 91 B0 4F B6 35 92"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cukmko" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process NOTEPAD.EXE:48176 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 54 6F 84 A7 7F 6C 00 1A E9 73 12 5A DF 42 86"
The process NOTEPAD.EXE:48148 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 A9 F2 79 A9 CC 41 A4 9F 6F 7E BA 31 19 8C 2B"
The process NOTEPAD.EXE:47648 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 28 E7 C9 2D 36 25 BD 75 D4 75 A6 84 DA B6 26"
The process NOTEPAD.EXE:47468 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 49 BD 0F 06 37 63 F4 34 4A EC 07 FB 4D 30 DB"
The process NOTEPAD.EXE:47616 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 44 56 2F 02 83 B1 48 F1 62 EF 3A 60 0B 42 82"
The process netsh.exe:464 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 84 81 E7 11 6B 60 48 D4 E4 5A D9 FA C3 68 08"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.wipmania.com/ (ET POLICY External IP Lookup Attempt To Wipmania ) |  69.197.137.58 |
| e.joyyven.com |  Unresolvable |
| e.balkrev.com | Unresolvable |
Rootkit activity
The Virus installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Virus installs the following user-mode hooks in dnsapi.dll:
DnsQuery_A
DnsQuery_W
The Virus installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Virus installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Virus installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
3fb7de1fb8c0321c40f18c16eb07a149.exe:47152
3fb7de1fb8c0321c40f18c16eb07a149.exe:47108
notepad.exe:8900
NOTEPAD.EXE:48176
NOTEPAD.EXE:48148
NOTEPAD.EXE:47648
NOTEPAD.EXE:47468
NOTEPAD.EXE:47616
netsh.exe:464 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%WinDir%\system.ini (72 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
D:\disablejavawarnsec.exe (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winygar.exe (601 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (2105 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe (2105 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cukmko" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
