Virus.Win32.Sality_f479c9b635

by malwarelabrobot on June 9th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.FlyStudio.ho (Kaspersky), Trojan.Generic.1344534 (B) (Emsisoft), Trojan.Generic.1344534 (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f479c9b63594d5b0d779ad788ef2654e
SHA1: a90a881403d4a8207c85868db1f6bc99eb710d0c
SHA256: 1884444b14c3e7755a5b599373b9ee27579838a837425b234b584067cbc9c026
SSDeep: 24576:JD9RrpjzYts4E59IrYnjtscr/dMYry/Zn1lTCvoKFmrj9G7yZlra2ST:JDFY 9I6tssMYo/OvoNGqxavT
Size: 1305715 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Appsinstalls
Created at: 1972-12-25 08:33:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):

%original file name%.exe:1808
WINMINE.EXE:2484
WINMINE.EXE:2456
XP-0C5BA6B1.EXE:3332
NOTEPAD.EXE:2956
NOTEPAD.EXE:2864
NOTEPAD.EXE:2660
netsh.exe:1128
netsh.exe:2016
mscorsvw.exe:1924

The Virus injects its code into the following process(es):

XP-542ADE6B.EXE:1748
Explorer.EXE:840

File activity

The process XP-542ADE6B.EXE:1748 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%System%\XP-0C5BA6B1.EXE (7386 bytes)
%System%\com.run (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%System%\spec.fne (601 bytes)
%System%\krnln.fnr (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%System%\ul.dll (2 bytes)
%System%\og.edt (512 bytes)
%System%\og.dll (692 bytes)
%System%\eAPI.fne (1425 bytes)
%System%\dp1.fne (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
%System%\RegEx.fne (673 bytes)
%System%\internet.fne (673 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fne (167 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0015DD1B_Rar\XP-542ADE6B.EXE (7971 bytes)
%System%\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (202 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (202 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%System%\XP-0C5BA6B1.EXE (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process %original file name%.exe:1808 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0015CDAA_Rar\%original file name%.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fne (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (266 bytes)
%System%\XP-542ADE6B.EXE (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)

The Virus deletes the following file(s):

C:\15d7cc (0 bytes)

The process XP-0C5BA6B1.EXE:3332 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0016DF0A_Rar\XP-0C5BA6B1.EXE (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\N5IYINQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CTYRS9I3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1E70XUN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WTUF81AV\desktop.ini (67 bytes)

Registry activity

The process XP-542ADE6B.EXE:1748 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 24 05 C1 46 20 AA 9B 4C 71 C3 76 C0 5A A2 C2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Virus deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"Explorer.EXE"

The process %original file name%.exe:1808 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\adm914]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\adm914]
"a1_0" = "3432392762"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\adm914\695404737]
"43014726" = "0800687474703A2F2F7777772E63686F6768617A616E62696C2E636F6D2F496D616765732F6C6F676F732E67696600687474703A2F2F3231362E33322E37352E37342F68322F6D61696E682E67696600687474703A2F2F6D61737572656E2D66657269656E686175732E636F6D2F6C6F676F732E67696600687474703A2F2F726164696F2E697269622E69722F66617268616E672F696D616765732F6C6F676F732E67696600687474703A2F2F7777772E676161686F6C64696E672E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F7A697961676F6B616C70696C6B6F67726574696D37322E6D65622E6B31322E74722F696D616765732F6C6F676F732E67696600687474703A2F2F70696E67616B73682E636F6D2F696D616765732F6D61696E662E67696600687474703A2F2F7777772E7261696C77617973657276696365732E62652F696D616765732F6C6F676F732E676966"
"14338242" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\adm914\695404737]
"7169121" = "70"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\adm914\695404737]
"35845605" = "351"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 0F 83 D7 C3 68 99 A5 25 87 17 A3 85 D8 39 82"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\adm914\695404737]
"28676484" = "35"

[HKCU\Software\adm914]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\adm914\695404737]
"50183847" = "9523A1A4A2113100192A343757A2C88ABADA9DAAB930E267905CA9896D1481CF7527864E5620A7BE2090C615D10C8E18D12256AD54B019EC5A31B0C4800A9DFD5D2134EB7ACB54E4ABA37D2F47FA95654965F2A0A8514BF2F7258A3F2578B2D2AE39CFFF3D8C4E0E79E5FBFD9E60AE52EB9628AE9D2534F2C4F77F1D416FAD3E"

[HKCU\Software\adm914]
"a2_0" = "5517"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\adm914\695404737]
"21507363" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process WINMINE.EXE:2484 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 FD DF 47 D2 8E 9F E3 69 59 A4 E5 0D DB 79 53"

The process WINMINE.EXE:2456 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C C5 BB BE 48 18 66 89 F1 FD 63 30 DF 63 80 B8"

The process XP-0C5BA6B1.EXE:3332 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 90 7D 91 76 90 82 CE AE 7E C4 AD B5 50 2E D1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"

The process NOTEPAD.EXE:2956 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 61 A2 C9 49 D5 79 A1 B0 51 39 16 F3 0B 1C E6"

The process NOTEPAD.EXE:2864 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 B0 37 52 A4 FD 2C BE 86 23 3C 47 0E 68 F2 1C"

The process NOTEPAD.EXE:2660 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 24 D5 AC 66 3A D2 D3 CF 38 68 06 47 CE 80 0F"

The process netsh.exe:1128 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 0D CC 17 F4 6F 5A E7 63 56 BA DD CD FF 3D E6"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process netsh.exe:2016 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 85 B5 0A B1 4A 6E 01 EA A7 72 E1 8D EF 29 F5"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process mscorsvw.exe:1924 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1320000"

Dropped PE files

MD5 File path
a85d63acefa7a6fa639787e364c16892 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\RegEx.fne
ce2f773275d3fe8b78f4cf067d5e6a0f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\com.run
6d4b2e73f6f8ecff02f19f7e8ef9a8c7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\dp1.fne
25b794b18bd8d03dc9530111cbce4173 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\eAPI.fne
56e9e121d68b5631a360d56b2ef4777f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\internet.fne
1081d7eb7a17faedfa588b93fc85365e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr
d54753e7fc3ea03aec0181447969c0e8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne
c4337f54ceb6765fda33f96b8408c013 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\spec.fne
a85d63acefa7a6fa639787e364c16892 c:\WINDOWS\system32\RegEx.fne
ce2f773275d3fe8b78f4cf067d5e6a0f c:\WINDOWS\system32\com.run
6d4b2e73f6f8ecff02f19f7e8ef9a8c7 c:\WINDOWS\system32\dp1.fne
25b794b18bd8d03dc9530111cbce4173 c:\WINDOWS\system32\eAPI.fne
56e9e121d68b5631a360d56b2ef4777f c:\WINDOWS\system32\internet.fne
1081d7eb7a17faedfa588b93fc85365e c:\WINDOWS\system32\krnln.fnr
d54753e7fc3ea03aec0181447969c0e8 c:\WINDOWS\system32\shell.fne
c4337f54ceb6765fda33f96b8408c013 c:\WINDOWS\system32\spec.fne

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23159 24576 4.49192 72e6acfc55bc338d169ca23398c88cee
.rdata 28672 2740 4096 2.58278 463198fd8b2f88fd5103d98401bc4208
.data 32768 16288 16384 1.1277 4d10d5012dbf5bb91ac5ce1ef6fe5d8c
.data 49152 102400 102400 4.01797 b09be7d4b6de102e56389e18982ac7e1
.rsrc 151552 17848 20480 2.29672 23ab1f79bcf01df8b90a3d24c5b15618
.7rdata 172032 77824 77824 5.54124 51b35b0c6a3885ce97f63128562e4cf8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://lb1.www.ms.akadns.net/
hxxp://hi.n.shifen.com/siletoyou
hxxp://ghs.googlehosted.com/ul.htm
hxxp://ghs.googlehosted.com/au.htm
hxxp://www3.l.google.com/site/wwwbloguser/au.htm
hxxp://www.microsoft.com/ 1.103.192.54
hxxp://www.bloguser.googlepages.com/au.htm 64.233.171.121
hxxp://www.baihe.googlepages.com/ul.htm 64.233.171.121
hxxp://sites.google.com/site/wwwbloguser/au.htm 173.194.43.32
hi.baidu.com 180.76.2.41


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Microsoft user-agent automated process response to automated request

Traffic

GET /au.htm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.bloguser.googlepages.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Location: hXXp://sites.google.com/site/wwwbloguser/au.htm
Date: Sun, 08 Jun 2014 09:57:06 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 244
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>301 Moved</TITLE></HE
AD><BODY>.<H1>301 Moved</H1>.The document has mov
ed.<A HREF="hXXp://sites.google.com/site/wwwbloguser/au.htm">her
e</A>...</BODY></HTML>....



GET /ul.htm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.baihe.googlepages.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sun, 08 Jun 2014 09:57:06 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 1431
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/errors
/logo_sm_2.png) no-repeat}@media only screen and (min-resolution:192dp
i){#logo{background:url(//VVV.google.com/images/errors/logo_sm_2_hr.pn
g) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.google.com/im
ages/errors/logo_sm_2_hr.png) 0}}@media only screen and (-webkit-min-d
evice-pixel-ratio:2){#logo{background:url(//VVV.google.com/images/erro
rs/logo_sm_2_hr.png) no-repeat;-webkit-background-size:100% 100%}}#log
o{display:inline-block;height:55px;width:150px}.  </style>.  <
;a href=//VVV.google.com/><span id=logo aria-label=Google><
;/span></a>.  <p><b>404.</b> <ins>Tha
t...s an error.</ins>.  <p>The requested URL <code>/
ul.htm</code> was not found on this server.  <ins>That
<<< skipped >>>


GET / HTTP/1.1
User-Agent: test
Host: VVV.microsoft.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Last-Modified: Mon, 16 Mar 2009 20:35:26 GMT
Accept-Ranges: bytes
ETag: "67991fbd76a6c91:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 08 Jun 2014 09:57:04 GMT
Content-Length: 1020
<html><head><title>Microsoft Corporation</title&g
t;<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><
;/meta><meta http-equiv="Content-Type" content="text/html; chars
et=utf-8"></meta><meta name="SearchTitle" content="Microso
ft.com" scheme=""></meta><meta name="Description" content=
"Get product information, support, and news from Microsoft." scheme=""
></meta><meta name="Title" content="Microsoft.com Home Pag
e" scheme=""></meta><meta name="Keywords" content="Microso
ft, product, support, help, training, Office, Windows, software, downl
oad, trial, preview, demo,  business, security, update, free, computer
, PC, server, search, download, install, news" scheme=""></meta&
gt;<meta name="SearchDescription" content="Microsoft.com Homepage" 
scheme=""></meta></head><body><p>Your curre
nt User-Agent string appears to be from an automated process, if this 
is incorrect, please click this link:<a href="hXXp://VVV.microsoft.
com/en/us/default.aspx?redir=true">United States English Microsoft 
Homepage</a></p></body></html>....



GET /site/wwwbloguser/au.htm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: sites.google.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: hXXps://sites.google.com/site/wwwbloguser/au.htm
Date: Sun, 08 Jun 2014 09:57:06 GMT
Expires: Sun, 08 Jun 2014 09:57:06 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic
Transfer-Encoding: chunked
e6..<HTML>.<HEAD>.<TITLE>Moved Temporarily</TITLE
>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H
1>Moved Temporarily</H1>.The document has moved <A HREF="h
ttps://sites.google.com/site/wwwbloguser/au.htm">here</A>..&l
t;/BODY>.</HTML>...0..

The Virus connects to the servers at the folowing location(s):

XP-542ADE6B.EXE_1748:

.text
.rdata
.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
krnln.fne
krnln.fnr
1.1.3
%System%\XP-542ADE6B.EXE
@@shdocvw.dll
{8856F961-340A-11D0-A96B-00C04FD705A2}##0
2,{34A226E0-DF30-11CF-89A9-00A0C9054129},CommandStateChangeConstants,{},{1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDID,{},{1073741880,1073741879,1073741878,1073741877,1073741876,1073741875,1073741874,1073741873,1073741872,1073741871,1073741870,1073741869,1073741868,1073741867,1073741866,1073741865,1073741864,1073741863,1073741862,1073741861,1073741860,1073741859,1073741858,1073741857,1073741856,1073741855,1073741854,1073741853,1073741852,1073741851,1073741850,1073741849,1073741848,1073741847,1073741846,1073741845,1073741844,1073741843,1073741842,1073741841,1073741840,1073741839,1073741838,1073741837,1073741836,1073741835,1073741834,1073741833,1073741832,1073741831,1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDF,{},{1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},OLECMDEXECOPT,{},{1073741827,1073741826,1073741825,1073741824,},{}2,{00000000-0000-0000-0000-000000000000},tagREADYSTATE,{},{1073741828,1073741827,1073741826,1073741825,1073741824,},{}2,{65507BE0-91A8-11D3-A845-009027220E6D},SecureLockIconConstants,{},{1073741830,1073741829,1073741828,1073741827,1073741826,1073741825,1073741824,},{}0,{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B},WebBrowser_V1,{100,101,102,103,104,-550,105,106,200,201,202,203,},{212,211,210,209,208,207,206,205,204,},{100,101,102,108,104,105,106,107,113,200,201,204,103,109,110,111,112,}1,{8856F961-340A-11D0-A96B-00C04FD705A2},WebBrowser,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}0,{0002DF01-0000-0000-C000-000000000046},InternetExplorer,{100,101,102,103,104,-550,105,106,200,201,202,203,300,301,302,303,500,501,502,503,},{556,555,554,553,552,551,550,-525,407,406,405,404,403,402,401,400,-515,0,212,211,210,209,208,207,206,205,204,},{102,108,105,106,104,113,112,250,251,252,259,253,254,255,256,257,258,260,262,264,265,266,267,263,268,269,270,271,225,226,227,272,273,}2,{F41E6981-28E5-11D0-82B4-00A0C90C29C5},ShellWindowTypeConstants,{},{1073741827,1073741826,1073741825,1073741824,},{}0,{9BA05972-F6A8-11CF-A442-00A0C90A8F39},ShellWindows,{0,-4,},{1610743808,},{200,201,}0,{64AB4BB7-111E-11D1-8F79-00C04FC2FBE1},ShellUIHelper,{4,5,6,7,8,9,10,11,13,},{},{}0,{55136805-B2DE-11D1-B9F2-00A0C98BC547},ShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}0,{2F2F1F96-2BC1-4B1C-BE28-EA3774F4676A},ShellShellNameSpace,{1,2,3,4,5,6,7,8,9,11,12,13,15,16,23,24,25,26,15,16,},{22,21,20,19,18,17,14,10,},{1,2,3,4,}
Recycled.exe
ul.dll
og.dll
og.edt
[%s%]
[%f%]
document.all('
document.frames('
.value='';};catch(e){};function a(){};a();
.value='
].selected=true;};catch(e){};function a(){};a();
.options[
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
:\autorun.inf
shellexecute
@http://www.yeanqin.com/ul.htm
url\{((\d{1,3},)*\d{1,3})\}
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
OLEACC.DLL
keybd_event
WebBrowser
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0015DD1B_Rar\XP-542ADE6B.EXE
XP-542ADE6B.EXE
http://www.choghazanbil.com/Images/logos.gif
http://216.32.75.74/h2/mainh.gif
http://masuren-ferienhaus.com/logos.gif
http://radio.irib.ir/farhang/images/logos.gif
http://www.gaaholding.com/images/logos.gif
http://ziyagokalpilkogretim72.meb.k12.tr/images/logos.gif
http://pingaksh.com/images/mainf.gif
http://www.railwayservices.be/images/logos.gif
Q*G.Cwtt$
\.lhh
/[email protected]
K.FX>Q
.LK'E
Phttp://89.11;
.info/home.gifv*y
.text^
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%Sa`&

XP-542ADE6B.EXE_1748_rwx_0040E000_00016000:

.value='
].selected=true;};catch(e){};function a(){};a();
.options[
.checked='';};catch(e){};function a(){};a();
.checked='checked';};catch(e){};function a(){};a();
:\autorun.inf
shellexecute
@http://www.yeanqin.com/ul.htm
url\{((\d{1,3},)*\d{1,3})\}
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
user32.dll
OLEACC.DLL
keybd_event
WebBrowser

XP-542ADE6B.EXE_1748_rwx_0042B000_00010000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0015DD1B_Rar\XP-542ADE6B.EXE
XP-542ADE6B.EXE
.text
%System%\XP-542ADE6B.EXE
http://www.choghazanbil.com/Images/logos.gif
http://216.32.75.74/h2/mainh.gif
http://masuren-ferienhaus.com/logos.gif
http://radio.irib.ir/farhang/images/logos.gif
http://www.gaaholding.com/images/logos.gif
http://ziyagokalpilkogretim72.meb.k12.tr/images/logos.gif
http://pingaksh.com/images/mainf.gif
http://www.railwayservices.be/images/logos.gif
Q*G.Cwtt$
\.lhh
/[email protected]
K.FX>Q
.LK'E
Phttp://89.11;
.info/home.gifv*y
.text^
.rdata
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

XP-542ADE6B.EXE_1748_rwx_01620000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text

XP-542ADE6B.EXE_1748_rwx_01630000_00001000:

|xp-542ade6b.exeM_1748_

Explorer.EXE_840_rwx_01450000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text

Explorer.EXE_840_rwx_01D60000_00001000:

|explorer.exeM_840_

Explorer.EXE_840_rwx_022D0000_01033000:

c:\windows
http://www.choghazanbil.com/Images/logos.gif
http://216.32.75.74/h2/mainh.gif
http://masuren-ferienhaus.com/logos.gif
http://radio.irib.ir/farhang/images/logos.gif
http://www.gaaholding.com/images/logos.gif
http://ziyagokalpilkogretim72.meb.k12.tr/images/logos.gif
http://pingaksh.com/images/mainf.gif
http://www.railwayservices.be/images/logos.gif
%System%\drivers\iogngn.sys
14292182033
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
h.rdata
H.data
.reloc
ntoskrnl.exe
Opera/8.81 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
NOTEPAD.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
http://
http://klkjwre77638dfqwieuoi888.info/
www.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\abp470n5
WINDOWS
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
tcpsr
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
ASHWEBSV.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBPROXY.
WEBSCANX.
WEBTRAP.
sfc_os.dll
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetProcessHeap
WinExec
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
.rdata
.data
.xdata
@.CRT
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1808
    WINMINE.EXE:2484
    WINMINE.EXE:2456
    XP-0C5BA6B1.EXE:3332
    NOTEPAD.EXE:2956
    NOTEPAD.EXE:2864
    NOTEPAD.EXE:2660
    netsh.exe:1128
    netsh.exe:2016
    mscorsvw.exe:1924

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %System%\XP-0C5BA6B1.EXE (7386 bytes)
    %System%\com.run (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\internet.fne (184 bytes)
    %System%\spec.fne (601 bytes)
    %System%\krnln.fnr (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\spec.fne (73 bytes)
    %System%\ul.dll (2 bytes)
    %System%\og.edt (512 bytes)
    %System%\og.dll (692 bytes)
    %System%\eAPI.fne (1425 bytes)
    %System%\dp1.fne (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\eAPI.fne (323 bytes)
    %System%\RegEx.fne (673 bytes)
    %System%\internet.fne (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\RegEx.fne (167 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\¡¡¡¡¡¡.lnk (1250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0015DD1B_Rar\XP-542ADE6B.EXE (7971 bytes)
    %System%\shell.fne (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\dp1.fne (114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
    %WinDir%\system.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0015CDAA_Rar\%original file name%.exe (7971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\com.run (266 bytes)
    %System%\XP-542ADE6B.EXE (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0016DF0A_Rar\XP-0C5BA6B1.EXE (7971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\N5IYINQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\CTYRS9I3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1E70XUN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WTUF81AV\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "XP-542ADE6B" = "%System%\XP-542ADE6B.EXE"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now