Virus.Win32.Sality_7a6baa350b

by malwarelabrobot on September 9th, 2014 in Malware Descriptions.

Win32.Sality.3 (B) (Emsisoft), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, SearchProtectToolbar.YR, GenericInjector.YR, GenericAutorunWorm.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7a6baa350b81a666b0b5a772d211caad
SHA1: 0afae3188b02920d422e4418e4eeb6ae31d6d7ca
SHA256: f1d65b27896d892dde102f537401e66edf1cddb5cb0e314a6b2d9c25a0b3b8d2
SSDeep: 24576:5UJndyw/c5zsCZOK06t3WStqe/YLNB3f tV6MbEE62IBI3:KVdywMzJOs3HqhRBWtVGm3
Size: 1343056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-19 02:11:18
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:304
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:304 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (169 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt2.tmp.new (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3.tmp.new (66 bytes)
C:\hebam.exe (103 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (169 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (71 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar.benc.new (65 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
C:\autorun.inf (359 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winyimj.exe (741 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1f91d2d17ea675d4c2c3192e241743f9_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (105 bytes)
%Documents and Settings%\%current user%\Application Data\uTorrent\toolbar_offer.benc (4 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.5876.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winyimj.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3.tmp.5889.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:304 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "406932077"

[HKCU\Software\Aas\695404737]
"35845605" = "509"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "6725818976"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "78674806A3861F72F7FBBF4459E2447BBB1A42BFC7AD3F9F8B6242699C86EB9DDA33E7F1CEC726A6BBFFC5F57712CCF7F1343FF5179C3FA5BE9D7D0CD1DB4A0B001DC22F1A3E3F9D40B2C10E1AAC3438B4AD546A932C794F41D6E3C5C12AC455E21F3013ED8634C8F551DD13DBE206D40FD35D5B18B779A77309D5F74D48F7FD"
"43014726" = "0E00687474703A2F2F626172616B616D6564696170726F64756374696F6E2E636F6D2F696D616765732F78732E6A706700687474703A2F2F61636375726F2E637A2F6C6F676F2E67696600687474703A2F2F6261792D6265652E636F2E756B2F696D616765732F78732E6A706700687474703A2F2F6D616E617965726E616A642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6172746964696C2E6E65742F696D616765732F78732E6A706700687474703A2F2F666F726170726F6C6574617269616E70617274792E6F72672F6C6F676F662E67696600687474703A2F2F64657369676E7363617065756B2E636F6D2F78732E6A706700687474703A2F2F636F6E73656E736F2E636F6D2E62722F732E6A706700687474703A2F2F6B6172616B7572746C74642E636F6D2F696D672F78732E6A706700687474703A2F2F7777772E6A766D6F6E6C696E652E636F6D2F732E6A706700687474703A2F2F616C6963616E686F74656C2E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F6C696D6B6F6B77696E672D746F6D6F72726F772E6F72672F696D616765732F732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E67696600687474703A2F2F61636164656D69636F766572736561732E6E65742F696D616765732F7873322E6A7067"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "131"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""

[HKCU\Software\BitTorrent]
"computerid" = "93 0F 2C 69 EC 9D 9F 7A E0 2A D1 1F 7C 8E A8 DC"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 6A 7B 39 63 9C 85 46 D5 5F 92 9F 07 D8 96 D5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Aas]
"a2_0" = "5565"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
2dbf6e387e623d74a5b87240dd6e27c9 c:\hebam.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: BitTorrent Inc.
Product Name: HD Player
Product Version: 3.4.1.30888
Legal Copyright: (c)2014 BitTorrent, Inc. All Rights Reserved.
Legal Trademarks:
Original Filename: uTorrent.exe
Internal Name: uTorrent.exe
File Version: 3.4.1.30888
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2093056 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2097152 1138688 1135104 5.54502 26ea57533aae56fde753c0ec2ccdbe22
.rsrc 3235840 196608 196608 5.19853 98f4ddcd2d7adf506c5eb6503103d592

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
3344058a05af2300c12adc54e9d71f08

URLs

URL IP
hxxp://67.215.246.203/installoffer.php?h=7J2feuAq0R98jqjc&v=109279400&w=A280105&l=en&c=US&db=iexplore.exe"&cl=uTorrent&tsub=1&svp=4
hxxp://update.utorrent.li/installstats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&w=A280105&bu=0&pr=0&cmp=0&ocmp=0&offerretrievedfromserver&pid=304&cau=0&ServerOfferRetrieved=1&sec_offs=oc,adk&view=win32 82.221.103.245
hxxp://update.utorrent.li/installstats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&w=A280105&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=304&cau=0&tbe=0&cd=0&view=win32 82.221.103.245
hxxp://bittorrent-sw.vo.llnwd.net/offers/ut-conduit-20130311.bmp
hxxp://update.utorrent.li/installstats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&w=A280105&bu=0&pr=0&cmp=0&ocmp=0&mismexecute&pid=304&cau=0&download=0&execute=0&error=mism execute succeeded&mismreturn=0&mismresult=provider:1,search:0,homepage:0&view=win32 82.221.103.245
hxxp://update.utorrent.li/updatestats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&k=&ip=8&dns=31&con=31&dl=156&dlurl=http://llsw.download3.utorrent.com/offers/ut-conduit-20130311.bmp&svp=4&pid=304&sz=66022&bin=bmp&p1=192.168.25.3&m1=0&p3=10.235.0.11&m3=0&p4=193.138.244.106&m4=1&p5=46.164.136.181&m5=0&p6=80.91.160.129&m6=9&p7=80.91.160.158&m7=34&p8=195.22.214.108&m8=37&p9=89.221.34.121&m9=37&p10=87.248.216.137&m10=48&p11=69.28.172.105&m11=43&p12=87.248.217.253&m12=35 82.221.103.245
hxxp://update.utorrent.com/installoffer.php?h=7J2feuAq0R98jqjc&v=109279400&w=A280105&l=en&c=US&db=iexplore.exe"&cl=uTorrent&tsub=1&svp=4
hxxp://update.utorrent.li/updatestats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&k=&ip=8&dns=31&con=31&dl=156&dlurl=http://llsw.download3.utorrent.com/offers/ut-conduit-20130311.bmp&svp=4&pid=304&sz=66022&bin=<NULL>bmp&p1=192.168.25.3&m1=0&p3=10.235.0.11&m3=0&p4=193.138.244.106&m4=1&p5=46.164.136.181&m5=0&p6=80.91.160.129&m6=9&p7=80.91.160.158&m7=34&p8=195.22.214.108&m8=37&p9=89.221.34.121&m9=37&p10=87.248.216.137&m10=48&p11=69.28.172.105&m11=43&p12=87.248.217.253&m12=35 82.221.103.245
hxxp://llsw.download3.utorrent.com/offers/ut-conduit-20130311.bmp 87.248.217.253


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET P2P BTWebClient UA uTorrent in use

Traffic

GET /installstats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&w=A280105&bu=0&pr=0&cmp=0&ocmp=0&showtbexists&pid=304&cau=0&tbe=0&cd=0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.li
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 03 Aug 2014 09:59:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.30
0..



GET /installstats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&w=A280105&bu=0&pr=0&cmp=0&ocmp=0&offerretrievedfromserver&pid=304&cau=0&ServerOfferRetrieved=1&sec_offs=oc,adk&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.li
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 03 Aug 2014 09:59:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.30
0..



GET /updatestats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&k=&ip=8&dns=31&con=31&dl=156&dlurl=http://llsw.download3.utorrent.com/offers/ut-conduit-20130311.bmp&svp=4&pid=304&sz=66022&bin=<NULL>bmp&p1=192.168.25.3&m1=0&p3=10.235.0.11&m3=0&p4=193.138.244.106&m4=1&p5=46.164.136.181&m5=0&p6=80.91.160.129&m6=9&p7=80.91.160.158&m7=34&p8=195.22.214.108&m8=37&p9=89.221.34.121&m9=37&p10=87.248.216.137&m10=48&p11=69.28.172.105&m11=43&p12=87.248.217.253&m12=35 HTTP/1.1
Host: update.utorrent.li
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 03 Aug 2014 09:59:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.30
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Pragma: no-cache
0..



GET /installoffer.php?h=7J2feuAq0R98jqjc&v=109279400&w=A280105&l=en&c=US&db=iexplore.exe"&cl=uTorrent&tsub=1&svp=4 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 03 Aug 2014 09:59:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.30
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: private
Last-Modified: Sun, 03 Aug 2014 09:59:43 GMT
11b9..d16:secondary_offersl2:oc3:adke2:oci1e3:adki1e16:content_offer_i
d10:DraftPicks17:content_offer_img26:DraftPicks_InstallPath.bmp17:cont
ent_offer_url113:hXXp://apps.bittorrent.com/featuredcontent/featuredco
ntent.btapp?offer=hXXp://content.bittorrent.com/inclient/yes21:content
_offer_alttext39:You Get:..8 Free Tracks..Artist cards..22:content_off
er_checkbox41:Yes, I'd love to check out this download!21:content_offe
r_checkedi1e22:content_offer_autoexeci0e19:content_offer_title32:Check
 out our new Bundle Release22:content_offer_subtitle34:Special Offer f
or BitTorrent Users20:content_offer_footer240:By clicking "Next" and i
nstalling this torrent bundle, you agree to the BitTorrent, Inc. <a
 href="hXXps://bundles.bittorrent.com/publish#!/terms">Terms of Ser
vice</a> and <a href="hXXp://VVV.bittorrent.com/legal/privacy
">Privacy Policy</a>.8:toolbar0d5:title22:..Torrent Installat
ion8:subtitle44:Thank you for choosing to install  ..Torrent9:body_tex
t261:Get the official ..Torrent Toolbar for Internet Explorer... With 
this ..Torrent toolbar you can search the web, listen to your favorite
 radio stations, connect to your social networks, and more. <a href
="hXXp://CT3289075.ourtoolbar.com/LearnMore">Learn More</a>11
:footer_text377:By clicking ...Next... and choosing to install the too
lbar and/or set the search features, you agree to these Terms (hXXp://
CT3289075.ourtoolbar.com/eula)  and Privacy Policy (hXXp://CT3289075.o
urtoolbar.com/privacy). The toolbar may contain apps that access, 
<<< skipped >>>


GET /offers/ut-conduit-20130311.bmp HTTP/1.1
Host: llsw.download3.utorrent.com
User-Agent: BTWebClient/3410(30888)
Accept-Encoding: gzip
Connection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.4
Content-Type: image/x-ms-bmp
Cache-Control: max-age=3600
Accept-Ranges: bytes
Age: 1855
Date: Sun, 03 Aug 2014 09:59:54 GMT
Last-Modified: Mon, 11 Mar 2013 21:01:14 GMT
Expires: Sun, 03 Aug 2014 10:28:59 GMT
Content-Length: 66022
Connection: close
BM........6...(............. .........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /installstats.php?cl=uTorrent&v=109279400&h=7J2feuAq0R98jqjc&w=A280105&bu=0&pr=0&cmp=0&ocmp=0&mismexecute&pid=304&cau=0&download=0&execute=0&error=mism execute succeeded&mismreturn=0&mismresult=provider:1,search:0,homepage:0&view=win32 HTTP/1.1
Accept-Encoding: gzip
User-Agent: uTorrent(30888)/3.4.1
Host: update.utorrent.li
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Sun, 03 Aug 2014 09:59:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.30
0..

The Virus connects to the servers at the folowing location(s):

%original file name%.exe_304:

`.rsrc
SSh(CZ


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (169 bytes)
    %WinDir%\system.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt2.tmp.new (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt3.tmp.new (66 bytes)
    C:\hebam.exe (103 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (169 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\settings.dat.new (71 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\toolbar.benc.new (65 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
    C:\autorun.inf (359 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winyimj.exe (741 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\1f91d2d17ea675d4c2c3192e241743f9_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (105 bytes)
    %Documents and Settings%\%current user%\Application Data\uTorrent\toolbar_offer.benc (4 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now