Virus.Win32.Sality_a1472ba1e5
Trojan.Clive.B (BitDefender), Virus:Win32/Sality.AM (Microsoft), Trojan.Win32.Agent.aec (Kaspersky), Virus.Win32.Sality.ah (v) (VIPRE), Trojan.Clive.1 (DrWeb), Trojan.Clive.B (B) (Emsisoft), W32/Sality.gen.z (McAfee), W32.Sality.AE (Symantec), Trojan.Win32.Agent (Ikarus), Trojan.Clive.B (FSecure), Worm/AutoRun.HL (AVG), Win32:Kukacka (Avast), PE_SALITY.JER (TrendMicro), Trojan.Clive.B (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: a1472ba1e5c82265ca0c0964067f598e
SHA1: 59d91d24b6ec149b3f671e7c5b849d5304a3a66f
SHA256: c7be989e024ccf99d6acab8288da5020029f6cf999650627aa1cacf6fb4276dd
SSDeep: 1536:H4trYE4F rjfQFCghR3GbiIikVrYxp1GbdnJ5Y3Jd5olA4CZNyRzgflmwebLbTk/:yrYdAbI3PSigYL1GjcJrC98yRzgm3o86
Size: 90624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Appsinstall
Created at: 2006-12-13 15:15:04
Analyzed on: WindowsXP SP3 32-bit
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
WINMINE.EXE:1064
WINMINE.EXE:3704
%original file name%.exe:664
netsh.exe:640
NOTEPAD.EXE:3664
NOTEPAD.EXE:960
NOTEPAD.EXE:4068
NOTEPAD.EXE:3524
NOTEPAD.EXE:3676
NOTEPAD.EXE:3732
The Virus injects its code into the following process(es):
soundmix.exe:1252
Explorer.EXE:840
File activity
The process %original file name%.exe:664 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%System%\soundmix.exe (601 bytes)
The process soundmix.exe:1252 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (74 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\READER_SL.EXE (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winpjslhs.exe (601 bytes)
%System%\dllcache\zipexr.dll (1137 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes)
The Virus deletes the following file(s):
C:\1a704f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winpjslhs.exe (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
Registry activity
The process WINMINE.EXE:1064 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 FF EE F0 1B 89 42 3A 68 81 56 3B CA 32 FB 80"
The process WINMINE.EXE:3704 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 20 C8 3F 9A 06 B2 56 AF BB E2 0B 43 6D 5B 9E"
The process %original file name%.exe:664 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0D00687474703A2F2F7777772E646570706172746E6572732E636F6D2F4D656469612F696D616765732F78732E6A706700687474703A2F2F616272617A67726F75702E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F65677970636F2E6E65742F78732E6A706700687474703A2F2F61706E696C6966652E636F6D2F696D616765732F732E6A706700687474703A2F2F61626661722D6B686F6F7A657374616E2E636F6D2F696D616765732F78732E6A706700687474703A2F2F616264756C6C61686361676C61722E636F6D2F696D616765732F732E6A706700687474703A2F2F6162616E6761722E636F6D2F696D616765732F78732E6A706700687474703A2F2F696465616576656E746F2E69742F6C6F676F662E67696600687474703A2F2F6162736F6C75746574726163652E636F6D2F696D616765732F732E6A706700687474703A2F2F6162726573746F726173796F6E2E636F6D2F696D616765732F732E6A706700687474703A2F2F746E36396162692E636F6D2F696D616765732F78732E6A706700687474703A2F2F6B65746F616E746875652E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F36382E3136382E3232322E3230362F6C6F676F662E676966"
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"7169121" = "217"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "471"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 9E 10 68 EC 49 4E C9 3B 3B 3D 8E B6 38 41 A5"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The process netsh.exe:640 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 37 DE 3C 96 7F ED E5 5E 7A 56 5F 8C 62 48 CF"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process NOTEPAD.EXE:3664 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 DB CB DB 40 6F 18 18 29 2D 67 E6 52 20 5E 8F"
The process NOTEPAD.EXE:960 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 52 77 FA B9 F6 B7 4C A8 B1 AB D4 91 C7 F0 45"
The process NOTEPAD.EXE:4068 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 8E 02 23 19 00 D0 52 C6 9F 69 30 EB 24 FE 91"
The process NOTEPAD.EXE:3524 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 AF 06 83 82 A3 87 C0 FF 17 CF 88 55 0B 30 B0"
The process NOTEPAD.EXE:3676 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 A4 9D 69 7A 1A 5A C8 44 17 E3 DD 1D 85 BE E9"
The process NOTEPAD.EXE:3732 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 42 34 64 DA 55 35 50 37 AB D5 C2 A5 6E 74 61"
The process soundmix.exe:1252 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\adm914]
"a3_27" = "176880658"
"a3_26" = "169827315"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a2_15" = "107540644"
"a2_14" = "100362399"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\adm914]
"a2_11" = "78856959"
"a2_10" = "71695882"
"a2_13" = "93192711"
"a2_12" = "86025484"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914]
"a2_18" = "129046807"
"a4_27" = "193566267"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\adm914]
"a2_9" = "64525285"
"a2_8" = "57356965"
"a2_5" = "35841808"
"a2_4" = "28674056"
"a2_7" = "50178272"
"a2_6" = "43010893"
"a2_1" = "7168686"
"a2_0" = "1743"
"a2_3" = "21508683"
"a2_2" = "14343026"
"a2_33" = "236579744"
"a2_28" = "200730980"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\adm914]
"a2_20" = "143380026"
"a2_21" = "150544393"
"a2_22" = "157727282"
"a2_23" = "164894819"
"a2_24" = "172063304"
"a2_25" = "179232331"
"a2_26" = "186392666"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a3_32" = "212854281"
"a3_33" = "253401768"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\adm914]
"a3_34" = "260325067"
"a3_35" = "267899754"
"a1_32" = "602265198"
"a1_33" = "3109145567"
"a1_30" = "1265442423"
"a1_31" = "4148948687"
"a1_36" = "4226695193"
"a3_36" = "241268621"
"a1_34" = "1699763353"
"a2_29" = "207899705"
"a2_36" = "258082132"
"a2_35" = "250915225"
"a2_34" = "243745182"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914]
"a2_32" = "229415803"
"a2_31" = "222245133"
"a2_30" = "215077719"
"a1_2" = "4278044788"
"a1_3" = "4098587006"
"a1_0" = "316296286"
"a1_1" = "3634571327"
"a1_6" = "2544729640"
"a1_7" = "1626450342"
"a1_4" = "3750762994"
"a1_5" = "3876831160"
"a1_8" = "2521060167"
"a1_9" = "2882349781"
"a2_17" = "121880342"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a4_36" = "258088356"
"a3_8" = "40388897"
"a3_9" = "47967552"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 98 9C 82 19 AE DD 50 27 99 4A 28 CC 39 7F 80"
[HKCU\Software\adm914]
"a1_20" = "1953821133"
"a1_23" = "1138271244"
"a1_22" = "2712197167"
"a1_25" = "3079395960"
"a1_24" = "1772529062"
"a1_27" = "3739576136"
"a1_26" = "1198391210"
"a1_29" = "4147190598"
"a1_28" = "20351173"
"a2_27" = "193561120"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a4_26" = "186397146"
"a2_19" = "136211138"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_30" = "215073630"
"a1_14" = "3865234451"
"a1_15" = "3810767384"
"a1_16" = "1515923791"
"a1_17" = "1498928167"
"a1_10" = "3437790119"
"a1_11" = "618734710"
"a1_12" = "1163033150"
"a1_13" = "3886342390"
"a1_18" = "2996532359"
"a1_19" = "2752519931"
[HKCR\exefile\shell\open\command]
"(Default)" = "soundmix %1 %*"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\adm914]
"a1_21" = "1155114925"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a3_10" = "88506851"
"a3_11" = "95435266"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\adm914]
"a2_16" = "114708504"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914]
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_31" = "222242751"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a4_33" = "236580993"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914]
"a4_32" = "229411872"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "0"
[HKCU\Software\adm914]
"a1_35" = "742429164"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"soundmix.exe" = "%System%\soundmix.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Virus modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 858 bytes in size. The following strings are added to the hosts file listed below:
| 61.129.115.198 | www.xldd.com |
| 61.129.115.198 | www.ojiang.com |
| 61.129.115.198 | www.shuixian.net |
| 61.129.115.198 | www.xlarea.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 10980 | 11264 | 3.88527 | 968eff92897574dca273bebb1823948b |
| .data | 16384 | 1296 | 1536 | 1.38965 | 78a2c61d8db2888d424d60e8ea7437b1 |
| .bss | 20480 | 1504 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 24576 | 2904 | 3072 | 3.09122 | 5a15ea2c22a4e1efe19ed39213c3fb3c |
| .ndata | 28672 | 73728 | 73728 | 5.5394 | 4d0840621a6fb76f7e043c59e8273a65 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Virus connects to the servers at the folowing location(s):
.text
.data
.idata
.ndata
Win32.Dxclive
\soundmix.exe
\dllcache\zipexr.dll
RECYCLER\autorun.exe
autorun.inf
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
\drivers\etc\hosts.tmp
Kernel32.dll
C:\stop.txt
WindowsApp
shell\open\Command=RECYCLER\autorun.exe -OpenCurDir
shell\explore\Command=RECYCLER\autorun.exe -ExploreCurDir
61.129.115.198 www.xldd.com
61.129.115.198 www.ojiang.com
61.129.115.198 www.shuixian.net
61.129.115.198 www.xlarea.com
%System%\dllcache\zipexr.dll
%System%
soundmix.exe
%System%\soundmix.exe
RegCloseKey
RegOpenKeyExA
GetProcessHeap
ShellExecuteA
PSAPI.DLL
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
USER32.dll
KERNEL32.DLL
http://www.deppartners.com/Media/images/xs.jpg
http://abrazgroup.com/images/logof.gif
http://egypco.net/xs.jpg
http://apnilife.com/images/s.jpg
http://abfar-khoozestan.com/images/xs.jpg
http://abdullahcaglar.com/images/s.jpg
http://abangar.com/images/xs.jpg
http://ideaevento.it/logof.gif
http://absolutetrace.com/images/s.jpg
http://abrestorasyon.com/images/s.jpg
http://tn69abi.com/images/xs.jpg
http://ketoanthue.com/images/logof.gif
http://68.168.222.206/logof.gif
Q*G.Cwtt$
\.lhh
/[email protected]
K.FX>Q
.LK'E
Phttp://89.11;
.info/home.gifv*y
.text^
.rdata
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
SHFileOperationA
soundmix.exe_1252_rwx_00401000_00001000:
Win32.Dxclive
\soundmix.exe
\dllcache\zipexr.dll
RECYCLER\autorun.exe
autorun.inf
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
soundmix.exe_1252_rwx_00408000_00010000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
soundmix.exe
.text
%System%\soundmix.exe
http://www.deppartners.com/Media/images/xs.jpg
http://abrazgroup.com/images/logof.gif
http://egypco.net/xs.jpg
http://apnilife.com/images/s.jpg
http://abfar-khoozestan.com/images/xs.jpg
http://abdullahcaglar.com/images/s.jpg
http://abangar.com/images/xs.jpg
http://ideaevento.it/logof.gif
http://absolutetrace.com/images/s.jpg
http://abrestorasyon.com/images/s.jpg
http://tn69abi.com/images/xs.jpg
http://ketoanthue.com/images/logof.gif
http://68.168.222.206/logof.gif
Q*G.Cwtt$
\.lhh
/[email protected]
K.FX>Q
.LK'E
Phttp://89.11;
.info/home.gifv*y
.text^
.rdata
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
soundmix.exe_1252_rwx_009F0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
soundmix.exe_1252_rwx_00A00000_00001000:
|soundmix.exeM_1252_
soundmix.exe_1252_rwx_011B0000_01033000:
c:\windows
http://www.deppartners.com/Media/images/xs.jpg
http://abrazgroup.com/images/logof.gif
http://egypco.net/xs.jpg
http://apnilife.com/images/s.jpg
http://abfar-khoozestan.com/images/xs.jpg
http://abdullahcaglar.com/images/s.jpg
http://abangar.com/images/xs.jpg
http://ideaevento.it/logof.gif
http://absolutetrace.com/images/s.jpg
http://abrestorasyon.com/images/s.jpg
http://tn69abi.com/images/xs.jpg
http://ketoanthue.com/images/logof.gif
http://68.168.222.206/logof.gif
%System%\drivers\lgrikf.sys
173059321620
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
h.rdata
H.data
.reloc
ntoskrnl.exe
Opera/8.81 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
NOTEPAD.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
http://
http://klkjwre77638dfqwieuoi888.info/
www.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\abp470n5
WINDOWS
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
tcpsr
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
ASHWEBSV.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBPROXY.
WEBSCANX.
WEBTRAP.
sfc_os.dll
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetProcessHeap
WinExec
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
.rdata
.data
.xdata
@.CRT
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
Explorer.EXE_840_rwx_01C60000_00001000:
Kernel32.dll
C:\stop.txt
Explorer.EXE_840_rwx_01C80000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
Explorer.EXE_840_rwx_01D10000_00001000:
|explorer.exeM_840_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WINMINE.EXE:1064
WINMINE.EXE:3704
%original file name%.exe:664
netsh.exe:640
NOTEPAD.EXE:3664
NOTEPAD.EXE:960
NOTEPAD.EXE:4068
NOTEPAD.EXE:3524
NOTEPAD.EXE:3676
NOTEPAD.EXE:3732 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%System%\soundmix.exe (601 bytes)
%WinDir%\system.ini (74 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\READER_SL.EXE (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winpjslhs.exe (601 bytes)
%System%\dllcache\zipexr.dll (1137 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%System%\drivers\etc\hosts.tmp (1592 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"soundmix" = "%System%\soundmix.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
