Virus.Win32.Sality_55a14e7f3d

by malwarelabrobot on June 20th, 2014 in Malware Descriptions.

Trojan.Win32.Agentb.aanb (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Swrort.3.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 55a14e7f3d6b234ac12d063e41524f50
SHA1: 3f5f19b59de704c66433967374096991b9249756
SHA256: e051e5a91be289068b041f0232127f3af00df7ac96b60ad8295aac1dd2a38456
SSDeep: 12288:KTyjXW 48qWywrU4kGFezOAVuJ5PIXww7F5DO3HYffINNxvt1H:gIXW/8yw1ez54lIbF5SXYH6NL1H
Size: 758427 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: P i r i f o r m L t d .
Created at: 2011-01-18 16:44:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):

%original file name%.exe:1664

The Virus injects its code into the following process(es):

rundll32.exe:1784
Explorer.EXE:840

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1664 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar\%original file name%.exe (5441 bytes)

The process rundll32.exe:1784 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uvdnv.exe (741 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A1260_Rar\rundll32.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlkir.exe (15019 bytes)
C:\autorun.inf (272 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%System%\drivers\likrhn.sys (5 bytes)
C:\cyypay.pif (103 bytes)

The Virus deletes the following file(s):

%System%\drivers\likrhn.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winlkir.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uvdnv.exe (0 bytes)

Registry activity

The process %original file name%.exe:1664 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "383921497"

[HKCU\Software\Aas\695404737]
"35845605" = "419"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "247D32B83D47435F2ED0E33C5DD34E729A41500BEC3D7263C63EA032241876F9CA2AB0B709E472865D6C4A30392434DF4508B4552311855571DEB262EFB3B690133A5F283FE741ABB1DFAAE9E664B81EDE3B4A95232E0898017CACF1EB56D1F98C1AFB26401F8945DB790B927771E8A250144DE11B6B0D0D4F0F193516E9AAD7"
"43014726" = "0B00687474703A2F2F7777772E6572692E6564752E706B2F696D616765732F6C6F676F2E67696600687474703A2F2F666F75726C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65796C656E6972696B2E62697A2F6C6F676F2E67696600687474703A2F2F666F7462616C6261736B612E79632E637A2F696D616765732F666D61696E2E67696600687474703A2F2F65736B696D6F7669652E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F657374657469636165737061636F62656D65737461722E636F6D2E62722F6C6F676F2E67696600687474703A2F2F666F7263656C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65736F757263652E636F2E696E2F696D616765732F6C6F676F322E67696600687474703A2F2F6164732E797570706164732E636F6D2F6C6F676F2E67696600687474703A2F2F636172743133332E6F72672F696D616765732F6D61696E2E67696600687474703A2F2F66696E65706561726C2E636F6D2E686B2F696D616765732F6C6F676F2E676966"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Msversion" = "2007"

[HKCU\Software\Aas\695404737]
"7169121" = "138"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A DE 21 84 9E 76 90 B9 42 FB 16 38 DD 78 12 02"

[HKCU\Software\Aas]
"a2_0" = "7269"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process rundll32.exe:1784 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"35845605" = "419"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "247D32B83D47435F2ED0E33C5DD34E729A41500BEC3D7263C63EA032241876F9CA2AB0B709E472865D6C4A30392434DF4508B4552311855571DEB262EFB3B690133A5F283FE741ABB1DFAAE9E664B81EDE3B4A95232E0898017CACF1EB56D1F98C1AFB26401F8945DB790B927771E8A250144DE11B6B0D0D4F0F193516E9AAD7"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F7777772E6572692E6564752E706B2F696D616765732F6C6F676F2E67696600687474703A2F2F666F75726C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65796C656E6972696B2E62697A2F6C6F676F2E67696600687474703A2F2F666F7462616C6261736B612E79632E637A2F696D616765732F666D61696E2E67696600687474703A2F2F65736B696D6F7669652E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F657374657469636165737061636F62656D65737461722E636F6D2E62722F6C6F676F2E67696600687474703A2F2F666F7263656C696E652E636F6D2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F65736F757263652E636F2E696E2F696D616765732F6C6F676F322E67696600687474703A2F2F6164732E797570706164732E636F6D2F6C6F676F2E67696600687474703A2F2F636172743133332E6F72672F696D616765732F6D61696E2E67696600687474703A2F2F66696E65706561726C2E636F6D2E686B2F696D616765732F6C6F676F2E676966"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "138"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 0D 0D EF C4 1E 6D 8D CF 1A 56 33 29 1D 31 5C"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are disabled:

"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\Microsoft\Office]
"Rundll32.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe:*:Enabled:ipsec"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Virus deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]

The Virus deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"

Dropped PE files

MD5 File path
fe9261575638dec5742ddfba5b5fb19c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\001A1260_Rar\rundll32.exe
951edcadf2363c5b1ff5711264d7748e c:\cyypay.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 569841 569856 4.61284 256132fea20837d2e598fb8d4f01d959
.rdata 577536 58474 58880 3.75497 e40dfac2aa919c953afc3e5f529b3350
.data 638976 36632 10752 2.54749 e27b8dce8893e88554c3004d7188b557
.rsrc 675840 114688 113664 5.12956 bb1991214b9f49c6cb77b45981dbfeec

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
d13f99c6b34deee4508a46fb6e697d7b
c73a79c442f40c43136a90a94bc984e5

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

rundll32.exe_1784:

.text
.rdata
.data
.rsrc
!"#$%%&'())* ,-./0123456789:;<""=>
T$%UR
RSSh
RSSh@SI
xSSSh
FTPjKS
FtPj;S
C.PjRV
portuguese-brazilian
GetProcessWindowStation
operator
AutoHotkey
AppsKey
ListHotkeys
KeyHistory
DetectHiddenWindows
SetKeyDelay
KeyWait
GetKeyState
URLDownloadToFile
MsgBox
IfMsgBox
Hotkey
AHK Keybd
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Physical) = %s
Prefix key is down: %s
NOTE: Only the script's own keyboard events are shown
(not the user's), because the keyboard hook isn't installed.
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).
E7 X
X X
%u hotkeys have been received in the last %ums.
(see #MaxHotkeysPerInterval in the help file)
Nonexistent hotkey. The current thread will exit.
Nonexistent hotkey variant (IfWin). The current thread will exit.
Max hotkeys.
The AltTab hotkey "%s" must specify which key (L or R).
The AltTab hotkey "%s" must have exactly one modifier/prefix.
"%s" is not allowed as a prefix key.
"%s" is not a valid key name. The current thread will exit.
SCx
%s[%Iu of %Iu]: %-1.60s%s
%s[Object]: 0x%p
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%s\%s
AutoHotkey2
Critical Error: %s
<>=/|^,:*&~!()[] -?."'\;`{}
>AUTOHOTKEY SCRIPT<
Could not extract script from EXE.
<>=/|^,:
<>=/|^,:. -*&!?~
Join
Hotkeys/hotstrings are not allowed inside functions.
Duplicate hotkey.
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
*%s::
if not GetKeyState("%s")
{Blind}%s%s{%s DownTemp}
*%s up::
{Blind}{%s Up}
#InstallKeybdHook
#HotkeyModifierTimeout
#HotkeyInterval
#MaxHotkeysPerInterval
#MaxThreadsPerHotkey
#KeyHistory
#MenuMaskKey
: -*/|&^.
<>=/|^,:*&~!()[] -?."
Invalid hotkey.
"%s" requires at least %d parameter%s.
"%s" requires that parameter #%u be non-blank.
<>=/|^,:*&~!()[]"
<>=/|^,:*&~!()[] -?
Unsupported use of "."
<>=/|^,:*&~!()[] -?.
Unsupported parameter default.
HasKey
detecthiddenwindows
keydelay
subkey
thishotkey
priorhotkey
timesincethishotkey
timesincepriorhotkey
Unsupported use of "["
Too many parameters passed to function.
Too few parameters passed to function.
%s%s%s
%%%s%s%s
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
u:
if %s %s %s and %s
%s%s %s %s
For %s,%s in %s
%s (%d) : ==> %s
Specifically: %s
in #include file "%s"
%s%s:%s %-1.500s
Specifically: %-1.100s%s
Error at line %u
Line Text: %-1.100s%s
Local Variables for %s()%s
%sGlobal Variables (alphabetical)%s
Window: %s
Keybd hook: %s
Mouse hook: %s
Enabled Timers: %u of %u (%s)
Interrupted threads: %d%s
Paused threads: %d of %d (%d layers)
Modifiers (GetKeyState() now) = %s
Key History has been disabled via #KeyHistory 0.
System verbs unsupported with RunAs. The current thread will exit.
%s %s
.exe.bat.com.cmd.hta
Verb: <%s>
Action: <%-0.400s%s>%s
Params: <%-0.400s%s>
EndKey:
0xX
0xX
%sLeft
%sTop
%sRight
%sBottom
\AU3_Spy.exe"
%sAU3_Spy.exe"
\AutoHotkey.chm"
%sAutoHotkey.chm"
hh.exe
http://www.autohotkey.com
Could not open URL http://www.autohotkey.com in default browser.
SOFTWARE\AutoHotkey
AutoHotkey v1.0.92.02
set cdaudio door %s wait
open %s type cdaudio alias cd wait shareable
set cd door %s wait
\\.\%c:
Mixer Doesn't Support This Component Type
Component Doesn't Support This Control Type
open "%s" alias AHK_PlayMe
Select File - %s
%s%c%sÊll Files (*.*)%c*.*%c
All Files (*.*)
Text Documents (*.txt)
*.txt
1.0.92.02
\AutoHotkey.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Pos%s
Len%s
Pos%d
Len%d
Compile error %d at offset %d: %s
RunAs: Missing advapi32.dll. The current thread will exit.
0.0.0.0
InternetOpenUrlA
Select Folder - %s
%u.%u.%u.%u
0xX -
%s%ws
AutoHotkeyGUI
%dGui
Button%s
msctls_hotkey32
Report
Password
vkX
Supported only for the tray menu The current thread will exit.
&Suspend Hotkeys
dd
dddddd
GdiplusShutdown
The following %s name contains an illegal character:
"%-1.300s"%s
The maximum number of MsgBoxes has been reached.
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
Error text not found (please report)
WSOCK32.dll
WINMM.dll
VERSION.dll
COMCTL32.dll
GetWindowsDirectoryA
KERNEL32.dll
GetKeyboardLayout
SetWindowsHookExA
UnhookWindowsHookEx
RegisterHotKey
UnregisterHotKey
GetAsyncKeyState
GetKeyboardState
SetKeyboardState
keybd_event
VkKeyScanExA
GetKeyNameTextA
MapVirtualKeyA
EnumChildWindows
EnumWindows
ExitWindowsEx
USER32.dll
GDI32.dll
COMDLG32.dll
RegCloseKey
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
ShellExecuteExA
SHFileOperationA
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
GetProcessHeap
zcÁ
-()[]{}:;'"/\,.?!
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Office
#%'''<[[^^\\]
"%
$-8GGhnsrr}
$-9GGggs}s
%Mgr.RhY4RfE5Qd:f
PAPADDINGXXPADDINGPADD
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001A1260_Rar\rundll32.exe
rundll32.exe
http://www.eri.edu.pk/images/logo.gif
http://fourline.com.tr/images/logo.gif
http://eylenirik.biz/logo.gif
http://fotbalbaska.yc.cz/images/fmain.gif
http://eskimovie.com/images/logo.gif
http://esteticaespacobemestar.com.br/logo.gif
http://forceline.com.tr/images/logo.gif
http://esource.co.in/images/logo2.gif
http://ads.yuppads.com/logo.gif
http://cart133.org/images/main.gif
http://finepearl.com.hk/images/logo.gif
uCo9%f
%F`;O
http://89.11
.info/home.gifI
W.text
L32.dll
^p.At%
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
MSVCRT.dll
WS2_32.dll
.xJnN
C.el3
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
&Lines most recently executed
&Hotkeys and their methods
&Key history and script info
&Web Site

rundll32.exe_1784_rwx_003D0000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

rundll32.exe_1784_rwx_003E0000_00001000:




|rundll32.exeM_1784_

rundll32.exe_1784_rwx_004AE000_00011000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001A1260_Rar\rundll32.exe
rundll32.exe
.rsrc
.text
%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe
http://www.eri.edu.pk/images/logo.gif
http://fourline.com.tr/images/logo.gif
http://eylenirik.biz/logo.gif
http://fotbalbaska.yc.cz/images/fmain.gif
http://eskimovie.com/images/logo.gif
http://esteticaespacobemestar.com.br/logo.gif
http://forceline.com.tr/images/logo.gif
http://esource.co.in/images/logo2.gif
http://ads.yuppads.com/logo.gif
http://cart133.org/images/main.gif
http://finepearl.com.hk/images/logo.gif
uCo9%f
%F`;O
http://89.11
.info/home.gifI
W.text
L32.dll
^p.At%
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

rundll32.exe_1784_rwx_010E0000_0108E000:




c:\windows
http://www.eri.edu.pk/images/logo.gif
http://fourline.com.tr/images/logo.gif
http://eylenirik.biz/logo.gif
http://fotbalbaska.yc.cz/images/fmain.gif
http://eskimovie.com/images/logo.gif
http://esteticaespacobemestar.com.br/logo.gif
http://forceline.com.tr/images/logo.gif
http://esource.co.in/images/logo2.gif
http://ads.yuppads.com/logo.gif
http://cart133.org/images/main.gif
http://finepearl.com.hk/images/logo.gif
%System%\drivers\likrhn.sys
17054377310
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
http://
ipfltdrv.sys
www.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

Explorer.EXE_840_rwx_01450000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_840_rwx_01D60000_00001000:




|explorer.exeM_840_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1664

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
    %WinDir%\system.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\001A062B_Rar\%original file name%.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uvdnv.exe (741 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\001A1260_Rar\rundll32.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winlkir.exe (15019 bytes)
    C:\autorun.inf (272 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
    %System%\drivers\likrhn.sys (5 bytes)
    C:\cyypay.pif (103 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now