MD5: 14ec684a942adec41ea700420316b1e4
SHA1: 5ceeb96fea53dc5a4db5d488264b00bd7088463a
SHA256: 213a85d3e3f4139dc6db9bc73379b3ef7f4a3527aae0ef4a14709cb11c6124e4
SSDeep: 24576:zdzZYNEA5xdUKjD4DJ0uwTuQOt2oE0iqLPIxRoJgId2lGVjKSFz0U:ziXxdUlV0uwTu5ZiqERIld2IVrQU
Size: 1575784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-05 16:07:21
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):
No processes have been created.
The Worm injects its code into the following process(es):

%original file name%.exe:668
Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:668 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
C:\wndj.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windysh.exe (741 bytes)
C:\autorun.inf (267 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\windysh.exe (0 bytes)

Registry activity

The process %original file name%.exe:668 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3073158479"

[HKCU\Software\Aas\695404737]
"35845605" = "417"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "4F7A36E77864F6283C8BFC443556E56991DAAF587D07A64539B130AE61394A8EB44525E489676F5B94D3316BE188E7E8FF09D63C91939DB6892F0DAEC5413E4D90FAABF4575C6A88FC296A4299FB48DB1C97CFAC4583B0DEFB1BE28720F59424AFC57F37E7C389A6960F98164D9C241027AF2ACBF21B3BB85511EEE485A26795"
"43014726" = "0C00687474703A2F2F7777772E737961747475732E636F6D2E62722F696D616765732F6C6F676F2E67696600687474703A2F2F7A616E7A6F756C2E6179612E636F6D2E73792F6C6F676F2E67696600687474703A2F2F636172676F6372797374616C2E636F6D2F6C6F676F2E67696600687474703A2F2F6162632D6B656D656A612E66722F696D672F62616E6E65722E67696600687474703A2F2F64656E6E792D64657369676E732E636F6D2F6C6F676F2E67696600687474703A2F2F61626576612E6E6C2F62616E6E65722E67696600687474703A2F2F736577616B696F736F6E6C696E652E636F6D2F6C6F676F2E67696600687474703A2F2F7363676C6F62616C2E636F6D2E70682F6C6F676F2E67696600687474703A2F2F7777772E64726F7073766964656F2E636F6D2E62722F6C6F676F2E67696600687474703A2F2F746865636C65616E657267726F75702E636F6D2E62722F6C6F676F2E67696600687474703A2F2F33656E65726A69656C656B7472696B2E636F6D2F6C6F676F2E67696600687474703A2F2F73616D617965722E6E65742F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "147"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 1A DC F0 35 C5 E4 D3 E4 2E 01 0C 4F A2 0B 92"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_0" = "9939"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: GOOBZO
Product Name: YouTube Accelerator
Product Version: 3.3.9.4
Legal Copyright: Copyright (c) 2013 GOOBZO Ltd.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.3.9.4
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.text1

.adata

.data1

.pdata

.rsrc

aSSSh

FTPjK

FtPj;

C.PjRV

]@ ]( ]8

tGHt.Ht&

FTPQ

.?AVunsupported_thread_option@boost@@

zcÁ

SetProcessShutdownParameters

kernel32.dll

COMCTL32.DLL

boost::too_few_args: format-string referred to more arguments than were passed

boost::too_many_args: format-string referred to less arguments than were passed

Required USB Key not found

Failed to execute target process

Cannot find import; DLL may be missing, corrupt, or wrong version

File "%s", function "%s"

File "%s", ordinal %d

File "%s", error %d

(Error code %d)

%X:DAF

(Location XEB, error code %d)

_PAD%d

RNX

%X::DAX

KERNEL32.DLL

.DbgLog

GetWindowsDirectoryW

CreateDialogIndirectParamW

Kernel32.dll

User32.dll

ComDlg32.dll

1.2.3

EXCEPTION_FLT_INVALID_OPERATION

EXCEPTION_FLT_DENORMAL_OPERAND

boost::unsupported_thread_option

mscoree.dll

Visual C   CRT: Not enough memory to complete call to strerror.

.mixcrt

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

USER32.DLL

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

c:\14ec684a942adec41ea700420316b1e4-2.DbgLog

c:\%original file name%.exe

GetWindowsDirectoryA

KERNEL32.dll

EnumThreadWindows

EnumWindows

CreateDialogIndirectParamA

GetAsyncKeyState

USER32.dll

GDI32.dll

comdlg32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

^.Ad/

.Zvv[

j%FwL

e.tu/

5%up/

A.YNpN\n

%Um-IF

.BV$L|

%X1:S

`?T%Sj

%x@k4

.iyDY

j.Wsf

Cr.BxL

V.Fb7|

$"bM-Q}n

%x R\X

4%sPp

_%S3@

.LvHT

.owm;y,

}R.zmA

.bi@{

>I|.pt|d

t_\A

p}.GF

G){.mf

.xh$x

U.gs!

J|0.tL

.iJp`

.zE:aG

.7%Xs

-DED%xFqz

%cnzb

%UQzss

1%.Ey\=

/\%Dg

.FlC\5

.cA~;

P?=I_.or\

E.yb|4

%SuSw

T.UHuR

<.fAC

68.bn

Dv.Xo

o.WT;u

\hm

.soor

.bA:[

%S `EG

.DsBv3

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

SHELL32.DLL

ShellExecuteA

%original file name%.exe

hXXp://VVV.syattus.com.br/images/logo.gif

hXXp://zanzoul.aya.com.sy/logo.gif

hXXp://cargocrystal.com/logo.gif

hXXp://abc-kemeja.fr/img/banner.gif

hXXp://denny-designs.com/logo.gif

hXXp://abeva.nl/banner.gif

hXXp://sewakiosonline.com/logo.gif

hXXp://scglobal.com.ph/logo.gif

hXXp://VVV.dropsvideo.com.br/logo.gif

hXXp://thecleanergroup.com.br/logo.gif

hXXp://3enerjielektrik.com/logo.gif

hXXp://samayer.net/logo.gif

.com/img/logo.gif

hXXp://lifecom24.co.cc/images/logo.gif

.info/J

home.gifI888

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

.MJ=y%

hKpQ.jSM

9V%9x

2adec41ea700420316b1e4.exe

?hXXp://test.%s.com/%s/wizardtest/VA_COMM_TEST_JPG.asp?random=%d

%s %s Browser WebWindow@hXXp://test.%s.com/%s/wizardtest/SMALLTEST.HTM?random=%d&mode=%s

test.%s.com

3.3.9.4

%original file name%.exe_668_rwx_005CF000_00010000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

%original file name%.exe

.rsrc

c:\%original file name%.exe

hXXp://VVV.syattus.com.br/images/logo.gif

hXXp://zanzoul.aya.com.sy/logo.gif

hXXp://cargocrystal.com/logo.gif

hXXp://abc-kemeja.fr/img/banner.gif

hXXp://denny-designs.com/logo.gif

hXXp://abeva.nl/banner.gif

hXXp://sewakiosonline.com/logo.gif

hXXp://scglobal.com.ph/logo.gif

hXXp://VVV.dropsvideo.com.br/logo.gif

hXXp://thecleanergroup.com.br/logo.gif

hXXp://3enerjielektrik.com/logo.gif

hXXp://samayer.net/logo.gif

.com/img/logo.gif

hXXp://lifecom24.co.cc/images/logo.gif

.info/J

home.gifI888

.text

KERNEL32.dll

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

%original file name%.exe_668_rwx_00BD0000_0108E000:

c:\windows

hXXp://VVV.syattus.com.br/images/logo.gif

hXXp://zanzoul.aya.com.sy/logo.gif

hXXp://cargocrystal.com/logo.gif

hXXp://abc-kemeja.fr/img/banner.gif

hXXp://denny-designs.com/logo.gif

hXXp://abeva.nl/banner.gif

hXXp://sewakiosonline.com/logo.gif

hXXp://scglobal.com.ph/logo.gif

hXXp://VVV.dropsvideo.com.br/logo.gif

hXXp://thecleanergroup.com.br/logo.gif

hXXp://3enerjielektrik.com/logo.gif

hXXp://samayer.net/logo.gif

%System%\drivers\mnsnj.sys

2755783760

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

.text

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

Explorer.EXE_888_rwx_00FF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

%original file name%.exe_668_rwx_01C60000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

%original file name%.exe_668_rwx_01C70000_00001000:

|%original file name%.exeM_668_

Explorer.EXE_888_rwx_01FA0000_00001000:

|explorer.exeM_888_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %WinDir%\system.ini (70 bytes)
   C:\wndj.exe (103 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\windysh.exe (741 bytes)
   C:\autorun.inf (267 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.