MD5: 6a82d9ee1fa3f56f9d009338bbc56ba5
SHA1: 69fd6b9692faca89d1851a0dccf3e4d10905f306
SHA256: a525e792bf8cce73855707cc7e835303e8b52d6a02c76e5a3bfd5729c8d56e64
SSDeep: 24576:KITb5wkO3cMZfbrRqT69tttKfTraPUSxIqpvVSlGVjM1U5XeIAmOLwQCU2zWk9MJ:KD79RqTU7ATrGxLRVSIVI8YwdUE9MHT
Size: 1735528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-05 16:05:49
Analyzed on: WindowsXP SP3 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:1600
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1600 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
C:\ajyrki.pif (103 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winkmwrsa.exe (741 bytes)
C:\autorun.inf (268 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winkmwrsa.exe (0 bytes)

Registry activity

The process %original file name%.exe:1600 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "4079183183"

[HKCU\Software\Aas\695404737]
"35845605" = "126"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "1D871A696EEE8AC56F63CE2EBB23BA3471EF18EB1AA3AB551FF3A8B9F9C54AE9431FACFD2B3D2E7A746A1A9876DCFBDD7893F06B7D08BBD7EEB6BC659DA39F212059974A104C0E2FD36C5C5FA138C2A156496BA865106B76FF46E58563580A15F9928C36BA1D4CA04C4CBEC667525967886DE75CC2A91418D983CFE25BC2E3CC"
"43014726" = "0400687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F35302E32332E3234362E3138312F6C6F676F2E67696600687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F3231362E31322E3231392E35382F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "164"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 C8 B4 CE 70 93 11 FD 36 81 F0 66 E6 C9 3C 2B"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_0" = "8092"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: GOOBZO
Product Name: YouTube Accelerator
Product Version: 1.0.0.1
Legal Copyright: Copyright (c) 2013 GOOBZO Ltd.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
7a8984c6f57470354b8d02748a0f4917

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.text1

.adata

.data1

.pdata

.rsrc

aSSSh

FTPjK

FtPj;

C.PjRV

]@ ]( ]8

tGHt.Ht&

FTPQ

.?AVunsupported_thread_option@boost@@

zcÁ

SetProcessShutdownParameters

kernel32.dll

COMCTL32.DLL

boost::too_few_args: format-string referred to more arguments than were passed

boost::too_many_args: format-string referred to less arguments than were passed

Required USB Key not found

Failed to execute target process

Cannot find import; DLL may be missing, corrupt, or wrong version

File "%s", function "%s"

File "%s", ordinal %d

File "%s", error %d

(Error code %d)

%X:DAF

(Location XEB, error code %d)

_PAD%d

RNX

%X::DAX

KERNEL32.DLL

.DbgLog

GetWindowsDirectoryW

CreateDialogIndirectParamW

Kernel32.dll

User32.dll

ComDlg32.dll

1.2.3

EXCEPTION_FLT_INVALID_OPERATION

EXCEPTION_FLT_DENORMAL_OPERAND

boost::unsupported_thread_option

mscoree.dll

Visual C   CRT: Not enough memory to complete call to strerror.

.mixcrt

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

USER32.DLL

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

y=%X'WbD

c:\6a82d9ee1fa3f56f9d009338bbc56ba5-2.DbgLog

c:\%original file name%.exe

GetWindowsDirectoryA

KERNEL32.dll

EnumThreadWindows

EnumWindows

CreateDialogIndirectParamA

GetAsyncKeyState

USER32.dll

GDI32.dll

comdlg32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

^.Ad/

.Zvv[

j%FwL

e.tu/

5%up/

A.YNpN\n

%Um-IF

.BV$L|

%X1:S

`?T%Sj

%x@k4

.iyDY

j.Wsf

Cr.BxL

V.Fb7|

$"bM-Q}n

%x R\X

4%sPp

_%S3@

.LvHT

.owm;y,

}R.zmA

.bi@{

>I|.pt|d

t_\A

p}.GF

G){.mf

.xh$x

U.gs!

J|0.tL

.iJp`

.zE:aG

.7%Xs

-DED%xFqz

%cnzb

%UQzss

1%.Ey\=

/\%Dg

.FlC\5

.cA~;

P?=I_.or\

E.yb|4

%SuSw

T.UHuR

.nm4`

1E.tz

!8%dg

J=|_%U

M.yr1Ts

G%=<

{.IA0

\b

-4}eF

a.km 

.hh,T

7'M.Cj

y.Bb_

PJ(%f

`.data

@.reloc

WS2_32.DLL

sporder.pdb

RegEnumKeyExA

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SPORDER.dll

SupportedNameSpace

sporder.dll

.reloc

c:\Documents and Settings\barak\Desktop\VistaInfo8\release\VistaInfo8.pdb

VistaInfo8.dll

9.vTH

C:\dev\Komodia\lsp\My sample - added features S4\VistaInfo8\x64\Release64\VistaInfo8.pdb

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

SHELL32.DLL

ShellExecuteA

%original file name%.exe

 =.ztj

hXXp://184.173.238.140/logo.gif

hXXp://50.23.246.181/logo.gif

hXXp://216.12.219.58/logo.gif

/fmain.gif

hXXp://shreeramworld.com/images/logo.gif

hXXp://VVV.cateringdeva.ro/img/fmain.gif

hXXp://bjmediaedu.com/images/logo.gif

hXXp://centroquiropraxia.com.br/images/logo.gif

hXXp://blryan.com/logo.gif

hXXp://chaloosrood.com/images/logo.gif

hXXp://buket-fmm.atspace.com/logo.gif

.info/J

home.gifI888

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

MSVCRT.dll

SHELL32.dll

WS2_32.dll

SHFileOperationA

a3f56f9d009338bbc56ba5.exe

5.2.3790.0 (srv03_rtm.030324-2048)

Windows

Operating System

5.2.3790.0

1.0.0.1

%original file name%.exe_1600_rwx_0061B000_00010000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

%original file name%.exe

.rsrc

c:\%original file name%.exe

 =.ztj

hXXp://184.173.238.140/logo.gif

hXXp://50.23.246.181/logo.gif

hXXp://216.12.219.58/logo.gif

/fmain.gif

hXXp://shreeramworld.com/images/logo.gif

hXXp://VVV.cateringdeva.ro/img/fmain.gif

hXXp://bjmediaedu.com/images/logo.gif

hXXp://centroquiropraxia.com.br/images/logo.gif

hXXp://blryan.com/logo.gif

hXXp://chaloosrood.com/images/logo.gif

hXXp://buket-fmm.atspace.com/logo.gif

.info/J

home.gifI888

.text

KERNEL32.dll

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

%original file name%.exe_1600_rwx_00C10000_0108E000:

c:\windows

hXXp://184.173.238.140/logo.gif

hXXp://50.23.246.181/logo.gif

hXXp://216.12.219.58/logo.gif

 =.ztj

%System%\drivers\ofshs.sys

8320781387

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

.text

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

Explorer.EXE_532_rwx_01E00000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

%original file name%.exe_1600_rwx_01CB0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

%original file name%.exe_1600_rwx_01CC0000_00001000:

|%original file name%.exeM_1600_

Explorer.EXE_532_rwx_01E10000_00001000:

|explorer.exeM_532_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Virus file.
   
3. Delete or disinfect the following files created/modified by the Virus:
   

   %WinDir%\system.ini (70 bytes)
   C:\ajyrki.pif (103 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\winkmwrsa.exe (741 bytes)
   C:\autorun.inf (268 bytes)
   %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.