Virus.Win32.Sality_e1d5b7cf24

by malwarelabrobot on July 27th, 2013 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, TrojanDropperVtimrun.YR, GenericInjector.YR, VirusSality.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: e1d5b7cf243b5d1391b6285b28fa88f5
SHA1: 90a696732a5bd137d3c24766518a97927e61b9a7
SHA256: 267242208c1ec7223a048d7052db5b3ed3c414b265f4f918a4a369e08e0a632e
SSDeep: 24576:Ny2tnn5BZVh 0Jr50sQNRxYpo1 wqu5W/K/5iBuC1taINPr:o2VZ5Jr5pQFYGTH5W93t7z
Size: 1124352 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Jottix
Created at: 2011-03-08 14:46:37


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):

The Virus injects its code into the following process(es):

e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280
PALKAZ~1.EXE:740

File activity

The process e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280 makes changes in a file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Server.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PALKAZ~1.EXE (81671 bytes)

The process PALKAZ~1.EXE:740 makes changes in a file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
D:\ebqg.exe (103 bytes)
D:\disablejavawarnsec.exe (1176 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
D:\autorun.inf (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (741 bytes)
C:\bjigp.exe (103 bytes)
C:\autorun.inf (346 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (0 bytes)

Registry activity

The process e1d5b7cf243b5d1391b6285b28fa88f5.exe:1280 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 18 81 62 74 B1 24 E2 FE 2C 21 8F E8 EA 72 35"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process PALKAZ~1.EXE:740 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3299283285"

[HKCU\Software\Aas\695404737]
"35845605" = "463"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "46481C6470CB6053A2944ECDB4DDE4665193DA4B365617F8DA3A7326E04FD138F32C7957E43E337B787B1FCE134E25C8FA8DDBE4C1B3A071973E11A56D33E05BAE13122A827142E165599DED991297931C47B4D5893CF802CE6B34169D08445CA2A755591705B86FAD56E544425A439E5A1200FA860F72B58819476DE5B7A125"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"43014726" = "0D00687474703A2F2F6B6C75637A6577736B6F2E676D696E612E706C2F696D616765732F78732E6A706700687474703A2F2F342D656475636174696F6E746563682E636F6D2F732E6A706700687474703A2F2F6172746535372E636F6D2E62722F696D616765732F78732E6A706700687474703A2F2F7777772E746F75722D73746172742E636F6D2E75612F696D616765732F6C6F676F662E67696600687474703A2F2F76756E677461756361722E636F6D2F696D616765732F78732E6A706700687474703A2F2F61686D65646661686D792E6E616D652F6C6F676F662E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F662E67696600687474703A2F2F726F63657374657266632E636F6D2F696D616765732F78732E6A706700687474703A2F2F736F6E656F2E66722F696D672F78732E6A706700687474703A2F2F6D656C696B6E616B69732E636F6D2F6C6F676F2E67696600687474703A2F2F7374726574666F7264656E64666C6167732E636F6D2F696D616765732F78732E6A706700687474703A2F2F7A6F6E61656C656374726F2E726F2F696D616765732F78732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E676966"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas\695404737]
"7169121" = "129"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 03 05 0C 9D 9E B1 EF 64 95 D0 93 76 0C 4D DD"

[HKCU\Software\Aas]
"a2_0" = "9832"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP]
"PALKAZ~1.EXE" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\PALKAZ~1.EXE:*:Enabled:ipsec"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Virus's process (How to End a Process With the Task Manager).
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Server.exe (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PALKAZ~1.EXE (81671 bytes)
    %WinDir%\system.ini (70 bytes)
    D:\ebqg.exe (103 bytes)
    D:\disablejavawarnsec.exe (1176 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
    D:\autorun.inf (236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winerdas.exe (741 bytes)
    C:\bjigp.exe (103 bytes)
    C:\autorun.inf (346 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now