Virus.Win32.Sality_5d4cf64925
Trojan.Win32.Small.cpd (Kaspersky), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 5d4cf649256211e174300fbdb07e208e
SHA1: aafc2b91828ccf578ae0e0d8361de62eb0d69276
SHA256: 6ab9445a71583a71c711f6a82e78ac88cbc949d0e59deefc78c2a8dc2ce00c67
SSDeep: 3072: j0ZBH65NLnFfyEBMTWzVwPCElIVJfQXrXlJoWf: C65XCTWzV/El8J4xJoWf
Size: 111616 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-05 02:25:00
Analyzed on: WindowsXP SP3 32-bit
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):
%original file name%.exe:452
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:452 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\byhnot.exe (849 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (1048 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\byhnot.exe (0 bytes)
%WinDir%\25027c (0 bytes)
Registry activity
The process %original file name%.exe:452 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m2_8" = "997420537"
"m2_9" = "2732716440"
"m2_2" = "3470575066"
"m2_3" = "910909037"
"m2_0" = "5620"
"m2_1" = "1735292139"
"m2_6" = "1821817157"
"m2_7" = "3557109296"
"m2_4" = "2646188814"
"m2_5" = "86522868"
"m1_151" = "3871363576"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_78" = "973840743"
"m1_150" = "455352933"
"m1_73" = "363750676"
"m1_72" = "1077082464"
"m1_71" = "1055571590"
"m1_70" = "3228853101"
"m1_77" = "3748734604"
"m1_76" = "2110844743"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_74" = "1258343815"
"m3_166" = "278866567"
"m3_167" = "2013911602"
"m3_164" = "1136397309"
"m2_98" = "2554772890"
"m1_144" = "196860959"
"m3_163" = "3662911566"
"m3_160" = "2751909385"
"m3_161" = "225933732"
"m1_155" = "4080426827"
"m3_168" = "3782899105"
"m1_154" = "3845096964"
"m2_147" = "1684659805"
"m1_148" = "3792609119"
"m1_149" = "3357546500"
"m1_146" = "3959395735"
"m1_147" = "2331778766"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m1_145" = "3271346016"
"m1_142" = "4106513927"
"m1_143" = "3658871133"
"m1_140" = "2463626990"
"m2_107" = "992510553"
"m2_99" = "4290054557"
"m2_148" = "3419963040"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Stvncyfrlda]
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m4_9" = "2732714709"
"m2_69" = "3770949084"
"m2_68" = "2035648941"
"m2_61" = "2773520963"
"m2_60" = "1038237066"
"m2_63" = "1949135835"
"m2_62" = "213837243"
"m2_65" = "1124756469"
"m2_64" = "3684432706"
"m2_67" = "300367698"
"m2_66" = "2860034414"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Stvncyfrlda]
"m1_79" = "3650523935"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
"m4_158" = "3592996166"
"m4_159" = "1033319603"
"m3_185" = "3217944556"
"m4_150" = "2595572190"
"m4_151" = "35895627"
"m4_152" = "1771186360"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m4_154" = "946800530"
"m4_155" = "2682091263"
"m4_156" = "122414700"
"m4_157" = "1857705433"
"m2_134" = "600720940"
"m2_135" = "2336020316"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m2_130" = "2249491664"
"m2_131" = "3984790576"
"m2_132" = "1425107194"
"m2_133" = "3160405736"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m3_182" = "2306891095"
"m3_183" = "4008889538"
"m1_24" = "3613212736"
"m1_25" = "2531353560"
"m1_26" = "3681034081"
"m1_27" = "2791595298"
"m1_20" = "2135919545"
"m1_21" = "2130151552"
"m1_22" = "2908128751"
"m1_23" = "1328626177"
"m1_28" = "2721086244"
"m1_29" = "2669791237"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
"m3_165" = "2871966568"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_162" = "1927407827"
"m1_99" = "2504271259"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 37 A7 DD 93 1B 7B 74 E5 C8 6D 8E 6E 86 82 84"
[HKCU\Software\Stvncyfrlda]
"m1_91" = "2880551118"
"m1_90" = "1785168467"
"m1_93" = "3868381928"
"m1_92" = "569313862"
"m1_95" = "4251445433"
"m1_94" = "1364330328"
"m1_97" = "860293927"
"m1_96" = "2685381530"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_108" = "3965858625"
"m1_109" = "4204878290"
"m1_102" = "3573058874"
"m1_103" = "2791676914"
"m1_100" = "1172288485"
"m1_101" = "2458046808"
"m1_106" = "4284666526"
"m1_107" = "2572087797"
"m1_104" = "2656261875"
"m1_105" = "2359338244"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "96"
[HKCU\Software\Stvncyfrlda]
"m3_99" = "4273372430"
"m2_94" = "4203544399"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_98" = "2571488659"
"m3_169" = "1189405916"
"m1_75" = "830168229"
"m2_146" = "4244345628"
"m1_5" = "1298848582"
"m1_4" = "2048263930"
"m1_7" = "2827602110"
"m1_6" = "983773140"
"m1_1" = "1507267892"
"m1_0" = "318153590"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Stvncyfrlda]
"m2_149" = "860274706"
"m1_141" = "638226787"
"m2_29" = "3078784314"
"m2_28" = "1343503051"
"m2_25" = "432567332"
"m2_24" = "2992269470"
"m2_27" = "3903181095"
"m2_26" = "2167883983"
"m2_21" = "2081372795"
"m2_20" = "346074416"
"m2_23" = "1256984587"
"m2_22" = "3816656291"
"m2_169" = "1206359051"
"m2_168" = "3766026546"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m2_163" = "3679513715"
"m2_162" = "1944229536"
"m2_161" = "208930241"
"m2_160" = "2768616228"
"m2_167" = "2030740927"
"m2_166" = "295459942"
"m2_165" = "2855125841"
"m2_164" = "1119844446"
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_118" = "2900843582"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
"m4_76" = "3033076828"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m4_188" = "4112110604"
"m4_187" = "2376819871"
"m4_186" = "641529138"
"m4_185" = "3201205701"
"m4_184" = "1465914968"
"m4_183" = "4025591531"
"m4_182" = "2290300798"
"m4_181" = "555010065"
"m4_180" = "3114686628"
"m1_3" = "2164400659"
"m1_2" = "2304479401"
"m2_90" = "1557348167"
"m2_91" = "3292627822"
"m2_92" = "732962720"
"m1_68" = "2218639178"
"m1_69" = "1920009634"
"m2_93" = "2468244843"
"m1_60" = "3856029946"
"m1_62" = "520344797"
"m1_63" = "2823478121"
"m1_64" = "2249114939"
"m1_65" = "4102030611"
"m1_66" = "3835521491"
"m1_67" = "45369664"
"m3_179" = "1395950366"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_96" = "3379156655"
"m3_130" = "2266496883"
"m3_171" = "398919654"
"m3_170" = "2924909643"
"m3_173" = "3835831936"
"m2_97" = "819471054"
"m3_175" = "3044884906"
"m3_174" = "1275909695"
"m3_177" = "2186829940"
"m3_176" = "451932377"
"m1_152" = "2256499458"
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m1_159" = "689910280"
"m1_158" = "3198481396"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_76" = "3033073597"
"m2_77" = "473403712"
"m2_74" = "3857460681"
"m2_75" = "1297790407"
"m2_72" = "386879391"
"m2_73" = "2122178273"
"m2_70" = "1211262615"
"m2_71" = "2946563527"
"m2_78" = "2208686780"
"m2_79" = "3943986831"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m1_156" = "256744705"
"m2_127" = "1338596988"
"m4_149" = "860281457"
"m4_148" = "3419958020"
"m2_126" = "3898264625"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_147" = "1684667287"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m2_125" = "2162979747"
"m2_124" = "427683307"
"m2_123" = "2987366472"
"m2_122" = "1252067687"
"m2_121" = "3811752168"
"m2_120" = "2076453908"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_11" = "2595494421"
"m1_10" = "2784447633"
"m1_13" = "1166324722"
"m1_12" = "3815683897"
"m1_15" = "683647708"
"m1_14" = "890140200"
"m1_17" = "712778214"
"m1_16" = "92834283"
"m1_19" = "94839649"
"m1_18" = "1716404721"
"m3_184" = "1449360497"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m4_88" = "2381729144"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_84" = "4030500804"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m2_129" = "514210899"
"m2_128" = "3073876172"
"m1_86" = "4239021380"
"m1_87" = "767203261"
"m1_84" = "4131663785"
"m1_85" = "707692670"
"m1_82" = "164502251"
"m1_83" = "2081352061"
"m1_80" = "3864149812"
"m1_81" = "1641817387"
"m1_180" = "1624377291"
"m1_88" = "599881541"
"m1_89" = "2354064600"
"m3_186" = "658480923"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Stvncyfrlda]
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m1_119" = "207471459"
"m1_118" = "4021525120"
"m3_146" = "4260947459"
"m3_147" = "1701482942"
"m1_115" = "125894462"
"m1_114" = "1096281302"
"m1_117" = "3429605743"
"m1_116" = "1915722803"
"m1_111" = "375671288"
"m1_110" = "3830546023"
"m1_113" = "4236781474"
"m1_112" = "256886503"
"m1_168" = "1551328244"
"m1_169" = "1759085956"
"m1_160" = "4031664282"
"m1_161" = "51608740"
"m1_162" = "2647556321"
"m1_163" = "3213815932"
"m1_164" = "1871027919"
"m1_165" = "3358799903"
"m1_166" = "3124099101"
"m1_167" = "2041856616"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "4B278A835FE92988F90F7C3CA41943E954C2A3E5F485BE927C19BB1BE3A4606DACD30115F9A5DFCC9A54A9CBC970B3F5552946D7DCA330D47DB444FE33A74E4F3934F853C78E0DC6D9EEE227165CFE1E5F4DF951B4E949E9FD58BC2F492F3A5FE47491DA52289271F36B555070B2FE3D61BD99AA79CD32B302250EFC3B19E5BA5983117001ACB3CC3315F4E8A6E14E431831F637A045E8B2E9D85E4FE4BB17441E184C36D2CE87AFD142CC126B0B44025A35802EFB7597B96B29F209B5C200ABEF3AD8D9E89ED2BD716737EA3531C319A48A0859A5D987B1F40AD720852CD4BAEEFF0335C753F5B39E9B397C689313439635D8144E674989A2B7C1E13F1E2F2E"
[HKCU\Software\Stvncyfrlda]
"m2_49" = "3424863856"
"m2_48" = "1689583229"
"m2_47" = "4249248257"
"m2_46" = "2513969000"
"m2_45" = "778668179"
"m2_44" = "3338351752"
"m2_43" = "1603054720"
"m2_42" = "4162737972"
"m2_41" = "2427439994"
"m2_40" = "692154476"
"m2_38" = "1516543404"
"m2_39" = "3251823481"
"m2_32" = "3989699611"
"m2_33" = "1430012855"
"m2_30" = "519120840"
"m2_31" = "2254398203"
"m2_36" = "2340926174"
"m2_37" = "4076211751"
"m2_34" = "3165312073"
"m2_35" = "605627527"
"m2_158" = "3593000354"
"m2_159" = "1033317989"
"m2_156" = "122419164"
"m2_157" = "1857700798"
"m2_154" = "946804940"
"m2_155" = "2682089006"
"m2_152" = "1771190753"
"m2_153" = "3506470957"
"m2_150" = "2595577784"
"m2_151" = "35892162"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m3_131" = "3967839982"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
"m3_100" = "1713433789"
"m3_139" = "703982086"
"m3_138" = "3230366443"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_55" = "1918908881"
"m1_54" = "3949578560"
"m1_57" = "1837395508"
"m1_56" = "4040002411"
"m1_51" = "3501760777"
"m1_50" = "3588418323"
"m1_53" = "769778987"
"m1_52" = "463136594"
"m1_59" = "4118605742"
"m1_58" = "3375634331"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m2_83" = "2295214499"
"m4_77" = "473400265"
"m1_124" = "621010180"
"m1_125" = "397563010"
"m1_126" = "3648847215"
"m1_127" = "605735341"
"m1_120" = "2179339062"
"m1_121" = "3702905034"
"m1_122" = "2100587686"
"m1_123" = "2248739017"
"m1_128" = "3605517225"
"m1_129" = "2255277349"
"m3_187" = "2359824054"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m3_144" = "790480761"
"m2_186" = "641526952"
"m3_145" = "2492364436"
"m4_178" = "3939072458"
"m4_179" = "1379395895"
"m4_176" = "468490992"
"m4_177" = "2203781725"
"m4_174" = "1292876822"
"m4_175" = "3028167555"
"m4_172" = "2117262652"
"m4_173" = "3852553385"
"m4_170" = "2941648482"
"m4_171" = "381971919"
"m2_118" = "2900837859"
"m2_119" = "341168779"
"m2_112" = "1079028803"
"m2_113" = "2814324803"
"m2_110" = "1903427180"
"m2_111" = "3638708755"
"m2_116" = "3725223826"
"m2_117" = "1165556181"
"m2_114" = "254643710"
"m2_115" = "1989941322"
"m2_185" = "3201211723"
"m2_184" = "1465910066"
"m2_187" = "2376824809"
"m4_153" = "3506477093"
"m2_181" = "555015173"
"m2_180" = "3114680697"
"m2_183" = "4025597889"
"m2_182" = "2290349174"
"m2_188" = "4112108456"
"m3_180" = "3097834125"
"m1_153" = "2104471639"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m2_137" = "1511636975"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_138" = "3246917062"
"m2_139" = "687248107"
"m3_153" = "3489919500"
"m3_152" = "1754350225"
"m3_151" = "52482914"
"m3_150" = "2612405239"
"m3_157" = "1874411504"
"m3_156" = "105417797"
"m3_155" = "2665356502"
"m3_154" = "963407291"
"m3_159" = "1016356506"
"m3_158" = "3609964399"
"m1_179" = "2290863214"
"m1_178" = "2734627941"
"m1_173" = "3674155028"
"m1_172" = "840682045"
"m1_171" = "2227466420"
"m1_170" = "2036203333"
"m1_177" = "1290478310"
"m1_176" = "2639223681"
"m1_175" = "2550075465"
"m1_174" = "377576498"
"m1_9" = "2439504878"
"m3_181" = "538419768"
"m1_8" = "427367879"
"m2_108" = "2727809291"
"m3_148" = "3403350317"
"m2_58" = "1862605688"
"m2_59" = "3597908658"
"m3_149" = "843427928"
"m2_54" = "3511391114"
"m2_55" = "951709393"
"m2_56" = "2686996020"
"m2_57" = "127327785"
"m2_50" = "865194594"
"m2_51" = "2600479616"
"m2_52" = "40796963"
"m2_53" = "1776094869"
"m2_106" = "3552194838"
"m1_61" = "3883411507"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
"m3_178" = "3955889123"
"m2_136" = "4071303587"
"m2_141" = "4157817763"
"m2_140" = "2422538008"
"m2_143" = "3333431655"
"m2_142" = "1598148654"
"m2_145" = "2509048385"
"m2_144" = "773766567"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m3_172" = "2133964565"
"m1_37" = "3860024733"
"m1_36" = "1637165471"
"m1_35" = "3032303190"
"m1_34" = "2506293444"
"m1_33" = "421087932"
"m1_32" = "2122992078"
"m1_31" = "2474409719"
"m1_30" = "501753023"
"m3_188" = "4095393317"
"m1_39" = "231408256"
"m1_38" = "2286462867"
"m1_42" = "1847483033"
"m1_43" = "3890749237"
"m1_40" = "1911060339"
"m1_41" = "392919300"
"m1_46" = "2195619552"
"m1_47" = "3210015294"
"m1_44" = "870045903"
"m1_45" = "3915724632"
"m1_48" = "714023176"
"m1_49" = "3864764255"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m2_95" = "1643858867"
"m1_137" = "2478212331"
"m1_136" = "2076590071"
"m1_135" = "1998433728"
"m1_134" = "3589046727"
"m1_133" = "2318770167"
"m1_132" = "470485129"
"m1_131" = "2884301663"
"m1_130" = "1724461260"
"m1_139" = "2649857392"
"m1_138" = "1647923064"
"m1_182" = "1294583842"
"m1_183" = "3825712983"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_181" = "2468110245"
"m1_186" = "1151851153"
"m1_187" = "1199603899"
"m1_184" = "1681767769"
"m1_185" = "2609447034"
"m1_188" = "2593984892"
"m2_10" = "173034750"
"m2_11" = "1908331627"
"m2_12" = "3643613689"
"m2_13" = "1083945798"
"m2_14" = "2819231598"
"m2_15" = "259561945"
"m2_16" = "1994807776"
"m2_17" = "3730144361"
"m2_18" = "1170468960"
"m2_19" = "2905759711"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"
"m2_89" = "4117012929"
"m2_88" = "2381731611"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_82" = "559917770"
"m2_81" = "3119600453"
"m2_80" = "1384301670"
"m2_87" = "646433517"
"m2_86" = "3206107072"
"m2_85" = "1470819493"
"m2_84" = "4030504488"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_98" = "2342127307"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_109" = "168128467"
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m2_105" = "1816897658"
"m2_104" = "81613332"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m2_101" = "3465668565"
"m2_100" = "1730386420"
"m2_103" = "2641281639"
"m2_102" = "905998464"
"m2_178" = "3939069727"
"m2_179" = "1379398679"
"m2_170" = "2941643666"
"m2_171" = "381973947"
"m2_172" = "2117258096"
"m2_173" = "3852556686"
"m2_174" = "1292871954"
"m2_175" = "3028171542"
"m2_176" = "468485937"
"m2_177" = "2203784064"
"m4_161" = "208933773"
"m4_160" = "2768610336"
"m4_163" = "3679515239"
"m4_162" = "1944224506"
"m4_165" = "2855129409"
"m4_164" = "1119838676"
"m4_167" = "2030743579"
"m4_166" = "295452846"
"m4_169" = "1206357749"
"m4_168" = "3766034312"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F736C776F6366642F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKCU\Software\Stvncyfrlda]
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "67"
[HKCU\Software\Stvncyfrlda]
"m1_157" = "4213613986"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 81920 | 78336 | 5.51997 | 9d6fdee4f3834414d51e793d98263950 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
3abc6e0ae131fc17ac1f6f5d29090954
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Virus connects to the servers at the folowing location(s):
.text
KERNEL32.dll
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
d4cf649256211e174300fbdb07e208e.exe
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
http:
.info/ho*y
me.gifI888
JKERNEL32.dll}
.rel.
h.rdla
[email protected]{WiN8
= =$=(=,=0=4=
FunWeb
.klkjw:9fqwiBu
c.pBTa
fi_%s:*:
.t&?%x=
.wVVDBAVCN
GUrlA'
>HTTP)s'P
L/KPCKwWEBW1
NG.SEIAUDh
MM.PF
%xn'\
>>?456789:;
!"#$%&'()* ,-./4
^,h%x
A.bSxo
CRT_PO
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_452_rwx_00401000_00001000:
KERNEL32.dll
%original file name%.exe_452_rwx_00404000_00011000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.text
d4cf649256211e174300fbdb07e208e.exe
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
http:
.info/ho*y
me.gifI888
JKERNEL32.dll}
.rel.
h.rdla
[email protected]{WiN8
= =$=(=,=0=4=
FunWeb
.klkjw:9fqwiBu
c.pBTa
fi_%s:*:
.t&?%x=
.wVVDBAVCN
GUrlA'
>HTTP)s'P
L/KPCKwWEBW1
NG.SEIAUDh
MM.PF
%xn'\
>>?456789:;
!"#$%&'()* ,-./4
^,h%x
A.bSxo
CRT_PO
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_452_rwx_00520000_010BD000:
http:
.info/ho*y
me.gifI888
.text
JKERNEL32.dll}
.rel.
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
.reloc
%x.exe
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
%c%d_%d
purity_control_%x
.adata
M_%d_
?456789:;<=
!"#$%&'()* ,-./0123
mong%WinDir%\
%WinDir%\hywjfubtsnl.log
hXXp://slwocfd/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
%System%\drivers\jlgkkn.sys
24260316344
.rsrc
SHELL32.DLL
ShellExecuteA
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
3'&3&3&3&3&389
.xdata
@.CRT
CRT_PO
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
%original file name%.exe_452_rwx_023C0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_452_rwx_025D0000_00001000:
|%original file name%.exeM_452_
Explorer.EXE_1684_rwx_00ED0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Explorer.EXE_1684_rwx_00EE0000_00001000:
|explorer.exeM_1684_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\byhnot.exe (849 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (1048 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
