MD5: 1bfad4b6ce1fbba89b064c26fd537df1
SHA1: 3a935da640826c23cd2221453d02d8260f0992a7
SHA256: e7203995965e50152da884c05282b2a7c3f99adad1a449fb89455218f27f4386
SSDeep: 1536:abIZvbUOzHrLgbPhcySGOTl6MPFXyE9lTw oEJTS6gh:vzrbrL PhETl6MPtyE9lTNoEJTxg
Size: 84397 bytes
File type: broken
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1987-01-30 06:38:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

WerFault.exe:3100
WerFault.exe:2952
%original file name%.exe:3568

File activity

The process %original file name%.exe:3568 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Program Files%\Microsoft\WaterMark.exe (687 bytes)

The Virus deletes the following file(s):

%Program Files%\Microsoft\px89A8.tmp (0 bytes)

Registry activity

The process WerFault.exe:3100 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "96 00 00 C0 08 00 00 00 00 00 00 00 07 50 40 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process WerFault.exe:2952 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "96 00 00 C0 08 00 00 00 00 00 00 00 07 50 40 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

Network activity (URLs)

URL	IP
google.com	74.125.143.113
rterybrstutnrsbberve.com	195.22.26.232
dns.msftncsi.com	131.107.255.255

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Virus installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
recvfrom
WSARecv
send
recv
WSASend
closesocket
sendto

The Virus installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwResumeThread

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
3. Delete the original Virus file.
   
4. Delete or disinfect the following files created/modified by the Virus:
   

   %Program Files%\Microsoft\WaterMark.exe (687 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.