Win32.Sality.3_4f8d49dfc3
Trojan.Win32.Small.cox (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 4f8d49dfc3feb9fe17ff662fb32e750f
SHA1: c808649c7303becc94b5a98babb0ddc757fc644f
SHA256: fb7e2c8a92618e389f50458ed8a0a0f5187670a7f9359687dd6d713c217fb14e
SSDeep: 3072:1UXJlJrvlmM90RRCUPs0x3tCVeCyTPFa7OGM:OtDEM906UX3QXyTda75M
Size: 119295 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:1108
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winrgyqr.exe (561 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (744 bytes)
C:\wnwfd.exe (99 bytes)
C:\autorun.inf (235 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winhqkyw.exe (561 bytes)
C:\totalcmd\TOTALCMD.EXE (858 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\winrgyqr.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winhqkyw.exe (0 bytes)
%WinDir%\cbc41 (0 bytes)
Registry activity
The process %original file name%.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Stvncyfrlda]
"m2_8" = "997420773"
"m2_9" = "2732719960"
"m2_2" = "3470576471"
"m2_3" = "910908362"
"m2_0" = "5517"
"m2_1" = "1735293664"
"m2_6" = "1821804803"
"m2_7" = "3557105270"
"m2_4" = "2646190137"
"m2_5" = "86522028"
"m4_222" = "2982453382"
"m1_151" = "818735110"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_78" = "1678719516"
"m4_226" = "1333681722"
"m4_227" = "3068972455"
"m4_224" = "2158067552"
"m1_150" = "1587282280"
"m1_73" = "161331016"
"m1_72" = "3981211265"
"m1_71" = "1443625493"
"m1_70" = "1817797747"
"m1_77" = "2353033914"
"m1_76" = "2996314370"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_74" = "4124500534"
"m3_166" = "278866567"
"m3_167" = "2013911602"
"m3_164" = "1136397309"
"m2_98" = "2554772340"
"m1_144" = "2897642505"
"m3_163" = "3662911566"
"m3_160" = "2751909385"
"m3_161" = "225933732"
"m1_155" = "1519867459"
"m4_208" = "163219600"
"m3_168" = "3782899105"
"m1_154" = "2712980780"
[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "58885256CEB138BF289B3FE61C5E671D2E4D94225C4FBCE4F0DE94D4B7C6392939AA4886E4653CEE7B60948B66308353C8BBD5AE9DDF9D8811FEE480E8441E72BE888FD57C7DF806E086A0E5DB748F0253CF7C7D80F1B655BBDC36A6B023154295785206CD56E65771B4CF0086E88C785CF8C0E79612D1A27360920106C8FD553BA45DC6F2A1000AB402F36DBF857C1185A98D2E85109D9FD5DA5D9DAC6CF78DD42468E6AAA565B58EBD7520B7BC8A2F1C00B75D6B842D36E293F4AF3B51E71EE226DED82E8165CB677EE0EA5BDDA27433B041F67665D554619E5A8CC804F9380D19D04300BC619829CDC374400D9780AF7BBAE5BA38A609F7EDFA8C4C4A9E5B"
[HKCU\Software\Stvncyfrlda]
"m2_147" = "1684660439"
"m1_148" = "3396909428"
"m1_149" = "2972543930"
"m1_146" = "3054466885"
"m1_147" = "1820036492"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Stvncyfrlda]
"m1_145" = "514378241"
"m1_142" = "1924650186"
"m1_143" = "3096943262"
"m1_140" = "3574934551"
"m2_107" = "992511912"
"m2_99" = "4290053359"
"m2_148" = "3419960950"
"m4_209" = "1898510333"
"m2_210" = "3633805776"
"m3_35" = "622481870"
"m3_34" = "3182011987"
"m3_37" = "4092948712"
"m3_36" = "2323956093"
"m3_31" = "2270958618"
"m3_30" = "535979247"
"m3_33" = "1413429028"
"m3_32" = "3972958089"
"m3_39" = "3234960306"
"m3_38" = "1533534215"
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"
"m4_9" = "2732714709"
"m2_213" = "249736207"
"m2_212" = "2809421678"
"m2_215" = "3720315645"
"m2_214" = "1985033928"
"m2_217" = "2895931717"
"m2_216" = "1160648400"
"m2_69" = "3770947391"
"m2_68" = "2035649540"
"m2_61" = "2773523757"
"m2_60" = "1038221636"
"m2_63" = "1949137641"
"m2_62" = "213839292"
"m2_65" = "1124751482"
"m2_64" = "3684432831"
"m2_67" = "300366013"
"m2_66" = "2860032967"
"m4_204" = "1811991260"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Stvncyfrlda]
"m4_223" = "422776819"
"m1_79" = "4179664525"
"m4_205" = "3547281993"
"m4_221" = "1247162649"
"m4_129" = "514205165"
"m4_128" = "3073881728"
"m4_125" = "2162976825"
"m4_124" = "427686092"
"m4_127" = "1338590995"
"m4_126" = "3898267558"
"m4_121" = "3811748485"
"m4_120" = "2076457752"
"m4_123" = "2987362655"
"m4_122" = "1252071922"
"m4_158" = "3592996166"
"m4_159" = "1033319603"
"m3_185" = "3217944556"
"m4_150" = "2595572190"
"m4_151" = "35895627"
"m4_152" = "1771186360"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m4_154" = "946800530"
"m4_155" = "2682091263"
"m4_156" = "122414700"
"m4_157" = "1857705433"
"m2_134" = "600722026"
"m2_135" = "2336021377"
"m4_29" = "3078791001"
"m4_28" = "1343500268"
"m2_130" = "2249490986"
"m2_131" = "3984789870"
"m2_132" = "1425107247"
"m2_133" = "3160405617"
"m4_23" = "1256981195"
"m4_22" = "3816657758"
"m4_21" = "2081367025"
"m4_20" = "346076292"
"m4_27" = "3903176831"
"m4_26" = "2167886098"
"m4_25" = "432595365"
"m4_24" = "2992271928"
"m1_195" = "1249905753"
"m4_229" = "2244586625"
"m3_182" = "2306891095"
"m1_194" = "244328930"
"m3_183" = "4008889538"
"m1_197" = "3014825308"
"m1_24" = "1126444631"
"m1_25" = "2176478623"
"m1_26" = "2368811593"
"m1_27" = "1809424982"
"m1_20" = "2240887039"
"m1_21" = "2282193610"
"m1_22" = "2423477007"
"m1_23" = "3361004696"
"m1_191" = "3971228416"
"m1_28" = "1139187132"
"m1_29" = "459460116"
"m3_199" = "1742469010"
"m1_190" = "200307053"
"m3_122" = "1268937691"
"m3_123" = "3003966326"
"m3_120" = "2059882801"
"m3_121" = "3794911404"
"m3_126" = "3914972559"
"m3_127" = "1321872698"
"m3_124" = "410948325"
"m3_125" = "2179924496"
"m3_128" = "3056917673"
"m3_129" = "530927556"
"m3_165" = "2871966568"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_162" = "1927407827"
"m1_214" = "2278259158"
[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "73"
[HKCU\Software\Stvncyfrlda]
"m1_99" = "2431197297"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA E8 E6 3D 74 A8 6F 18 AA B8 93 51 18 0E 76 CE"
[HKCU\Software\Stvncyfrlda]
"m1_215" = "3794638630"
"m1_91" = "3104484972"
"m1_90" = "2251280386"
"m1_93" = "2078280662"
"m1_92" = "3883910387"
"m1_95" = "2272998893"
"m1_94" = "1058425468"
"m1_97" = "1693319155"
"m1_96" = "1011120282"
"m3_231" = "1436934514"
"m1_202" = "2632098096"
"m1_221" = "3629068130"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Stvncyfrlda]
"m1_108" = "795572129"
"m1_109" = "4003808980"
"m4_201" = "901086357"
"m1_102" = "3850852309"
"m1_103" = "1433478674"
"m1_100" = "3158747853"
"m1_101" = "1622075727"
"m1_106" = "219689375"
"m1_107" = "3058367538"
"m1_104" = "13098559"
"m1_105" = "2686447502"
"m3_3" = "927474798"
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m1_216" = "2431476549"
"m1_217" = "785713976"
"m3_9" = "2749530364"
"m3_8" = "980422977"
"m1_199" = "2124792276"
"m1_198" = "4201665808"
"m1_210" = "2679258320"
"m1_211" = "343321091"
"m3_93" = "2451378352"
"m3_92" = "716398853"
"m3_91" = "3309498774"
"m3_90" = "1573930619"
"m3_97" = "836457060"
"m3_96" = "3362431689"
"m3_95" = "1626878810"
"m3_94" = "4220485679"
[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "87"
[HKCU\Software\Stvncyfrlda]
"m3_99" = "4273372430"
"m2_94" = "4203544288"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_98" = "2571488659"
"m3_169" = "1189405916"
"m1_75" = "2008610210"
"m2_146" = "4244346404"
"m1_5" = "990974441"
"m1_4" = "2043211597"
"m1_7" = "2820037032"
"m1_6" = "942015960"
"m1_1" = "692605188"
"m1_0" = "1431655765"
"m3_68" = "2018964189"
"m3_69" = "3787940424"
"m3_66" = "2877018163"
"m3_67" = "283394990"
"m3_64" = "3667439977"
"m3_65" = "1107894404"
"m3_62" = "230528591"
"m3_63" = "1965949434"
"m3_60" = "1021409189"
"m3_61" = "2756962000"
"m2_220" = "3806845852"
"m2_221" = "1247161601"
"m2_222" = "2982458860"
"m2_223" = "422778851"
"m2_224" = "2158061060"
"m2_225" = "3893360689"
"m2_226" = "1333674330"
"m2_227" = "3068975004"
"m2_228" = "509290276"
"m2_229" = "2244588177"
"m2_149" = "860277579"
"m3_229" = "2227881640"
"m3_228" = "525883197"
"m3_225" = "3909911780"
"m3_224" = "2174883145"
"m3_227" = "3085936526"
"m1_141" = "4141719570"
"m3_221" = "1263885104"
"m3_220" = "3823414149"
"m3_223" = "405824986"
"m3_222" = "2965883567"
"m2_29" = "3078785195"
"m2_28" = "1343503866"
"m2_25" = "432599607"
"m2_24" = "2992267508"
"m2_27" = "3903183002"
"m2_26" = "2167895256"
"m2_21" = "2081371996"
"m2_20" = "346071088"
"m2_23" = "1256985789"
"m2_22" = "3816655334"
"m1_209" = "3155973963"
"m4_220" = "3806839212"
"m2_169" = "1206360295"
"m2_168" = "3766028597"
[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"
[HKCU\Software\Stvncyfrlda]
"m2_163" = "3679511550"
"m2_162" = "1944231898"
"m2_161" = "208930336"
"m2_160" = "2768613639"
"m2_167" = "2030742075"
"m2_166" = "295459582"
"m2_165" = "2855125605"
"m2_164" = "1119843840"
"m4_114" = "254647946"
"m4_115" = "1989938679"
"m4_116" = "3725229412"
"m4_117" = "1165552849"
"m4_110" = "1903419606"
"m4_111" = "3638710339"
"m4_112" = "1079033776"
"m4_113" = "2814324509"
"m4_118" = "2900843582"
"m4_119" = "341167019"
"m4_74" = "3857462658"
"m4_75" = "1297786095"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m4_70" = "1211267022"
"m4_71" = "2946557755"
"m4_72" = "386881192"
"m4_73" = "2122171925"
"m4_78" = "2208690998"
"m4_79" = "3943981731"
"m4_228" = "509295892"
"m4_189" = "1552434041"
"m4_188" = "4112110604"
"m4_187" = "2376819871"
"m4_186" = "641529138"
"m4_185" = "3201205701"
"m4_184" = "1465914968"
"m4_183" = "4025591531"
"m4_182" = "2290300798"
"m4_181" = "555010065"
"m4_180" = "3114686628"
"m1_213" = "120992232"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Stvncyfrlda]
"m1_3" = "553799287"
"m1_2" = "2322242303"
"m2_90" = "1557345606"
"m2_91" = "3292630795"
"m2_92" = "732960072"
"m1_68" = "649548716"
"m1_69" = "1903551532"
"m4_237" = "3242010601"
"m2_93" = "2468243659"
"m4_231" = "1420200795"
"m4_230" = "3979877358"
"m4_233" = "595814965"
"m4_232" = "3155491528"
"m1_60" = "4197738691"
"m1_62" = "2539637048"
"m1_63" = "680455449"
"m1_64" = "2017257838"
"m1_65" = "1471882934"
"m1_66" = "3862333089"
"m1_67" = "2335761362"
"m3_179" = "1395950366"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_96" = "3379156570"
"m3_130" = "2266496883"
"m3_171" = "398919654"
"m3_170" = "2924909643"
"m3_173" = "3835831936"
"m2_97" = "819471273"
"m3_175" = "3044884906"
"m3_174" = "1275909695"
"m3_177" = "2186829940"
"m3_176" = "451932377"
"m4_235" = "4066396431"
"m1_152" = "3482863563"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Stvncyfrlda]
"m3_22" = "3799972215"
"m3_23" = "1273981154"
"m3_20" = "363060909"
"m3_21" = "2097957336"
"m3_26" = "2150906683"
"m3_27" = "3920013910"
"m3_24" = "3008960529"
"m3_25" = "415992716"
"m1_159" = "1691954959"
"m1_158" = "168550920"
"m3_28" = "1360479685"
"m3_29" = "3061970288"
[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_76" = "3033072811"
"m2_77" = "473405641"
"m2_74" = "3857459532"
"m2_75" = "1297789250"
"m2_72" = "386877788"
"m2_73" = "2122174573"
"m2_70" = "1211261673"
"m2_71" = "2946563963"
"m2_78" = "2208687956"
"m2_79" = "3943988105"
"m3_57" = "110470508"
"m3_56" = "2703963633"
"m3_55" = "968530498"
"m3_54" = "3494439639"
"m3_53" = "1759411128"
"m3_52" = "57526285"
"m3_51" = "2583910558"
"m3_50" = "848472419"
"m3_59" = "3614491702"
"m3_58" = "1845908635"
"m2_219" = "2071546545"
"m2_218" = "336263826"
"m1_156" = "3807128157"
"m3_214" = "2001882935"
"m3_215" = "3703373474"
"m3_216" = "1143826897"
"m3_217" = "2912885068"
"m3_210" = "3650358595"
"m3_211" = "1090960638"
"m3_212" = "2792828013"
"m3_213" = "266461080"
"m3_218" = "352946427"
"m3_219" = "2054830102"
"m2_127" = "1338593966"
"m4_149" = "860281457"
"m4_148" = "3419958020"
"m3_226" = "1316828179"
"m2_126" = "3898265266"
"m4_143" = "3333438947"
"m4_142" = "1598148214"
"m4_141" = "4157824777"
"m4_140" = "2422534044"
"m4_147" = "1684667287"
"m4_146" = "4244343850"
"m4_145" = "2509053117"
"m4_144" = "773762384"
"m4_38" = "1516538414"
"m4_39" = "3251829147"
"m2_125" = "2162982345"
"m2_124" = "427682656"
"m2_123" = "2987364716"
"m2_122" = "1252065327"
"m2_121" = "3811753852"
"m2_120" = "2076451112"
"m4_30" = "519114438"
"m4_31" = "2254405171"
"m4_32" = "3989695904"
"m4_33" = "1430019341"
"m4_34" = "3165310074"
"m4_35" = "605633511"
"m4_36" = "2340924244"
"m4_37" = "4076214977"
"m2_192" = "2463337006"
"m2_193" = "4198634809"
"m2_190" = "3287720436"
"m2_191" = "728055417"
"m2_196" = "814568826"
"m2_197" = "2549852248"
"m2_194" = "1638951449"
"m2_195" = "3374250117"
[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
[HKCU\Software\Stvncyfrlda]
"m2_198" = "4285150058"
"m2_199" = "1725467057"
"m1_11" = "31487998"
"m1_10" = "3127516927"
"m1_13" = "3959391552"
"m1_12" = "1954038609"
"m1_15" = "481741629"
"m1_14" = "628379951"
"m1_17" = "3003209313"
"m1_16" = "2981283468"
"m1_19" = "564026795"
"m1_18" = "2170026116"
"m3_184" = "1449360497"
"m4_206" = "987605430"
"m3_135" = "2319427666"
"m3_134" = "583874855"
"m3_137" = "1528482684"
"m3_136" = "4087897025"
"m4_89" = "4117019877"
"m4_88" = "2381729144"
"m3_133" = "3176958344"
"m3_132" = "1441930781"
"m4_85" = "1470824241"
"m4_84" = "4030500804"
"m4_87" = "646438411"
"m4_86" = "3206114974"
"m4_81" = "3119595901"
"m4_80" = "1384305168"
"m4_83" = "2295210071"
"m4_82" = "559919338"
"m2_129" = "514207877"
"m2_128" = "3073876284"
"m1_86" = "4240485411"
"m1_87" = "1530355570"
"m1_84" = "823236109"
"m1_85" = "734529528"
"m1_82" = "3953629875"
"m1_83" = "4169493765"
"m1_80" = "470677577"
"m1_81" = "3682909249"
"m1_180" = "4091768570"
"m1_88" = "2308553164"
"m1_89" = "1459646869"
"m3_198" = "4268311655"
"m1_229" = "1525368115"
"m1_228" = "3351168477"
"m3_186" = "658480923"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Stvncyfrlda]
"m3_140" = "2439480757"
"m3_141" = "4140840224"
"m3_142" = "1581425759"
"m3_143" = "3350419402"
"m1_119" = "296599941"
"m1_118" = "558736613"
"m3_146" = "4260947459"
"m3_147" = "1701482942"
"m1_115" = "2044199498"
"m1_114" = "2927784647"
"m1_117" = "602910570"
"m1_116" = "3155493939"
"m1_111" = "693222414"
"m1_110" = "406141983"
"m1_113" = "1582530128"
"m1_112" = "1983910778"
"m1_168" = "4029690933"
"m1_169" = "811539950"
"m1_220" = "2936810010"
"m4_219" = "2071548479"
"m1_160" = "2206361762"
"m1_161" = "1351367124"
"m1_162" = "1228143535"
"m1_163" = "1805779931"
"m1_164" = "2080655757"
"m1_165" = "925291766"
"m1_166" = "205343519"
"m1_167" = "3961488711"
"m3_80" = "1401010233"
"m3_81" = "3102878548"
"m3_82" = "542956227"
"m3_83" = "2311932542"
"m3_84" = "4047496685"
"m3_85" = "1453954328"
"m3_86" = "3189376183"
"m3_87" = "663008290"
"m3_88" = "2364876625"
"m3_89" = "4100445900"
"m4_215" = "3720320139"
"m4_214" = "1985029406"
"m4_225" = "3893358285"
"m4_194" = "1638953114"
"m1_201" = "3754065806"
"m1_200" = "2018323094"
"m3_19" = "2888904510"
"m3_18" = "1153482627"
"m1_205" = "1867573235"
"m1_204" = "4058030189"
"m1_207" = "1215742951"
"m1_206" = "1459190399"
"m3_13" = "1100530336"
"m3_12" = "3626914613"
"m3_11" = "1891476358"
"m3_10" = "190001259"
"m3_17" = "3746958356"
"m3_16" = "2011536633"
"m3_15" = "243002698"
"m3_14" = "2835971551"
"m2_233" = "595819503"
"m2_232" = "3155486812"
"m2_231" = "1420204799"
"m2_230" = "3979872950"
"m2_237" = "3242016349"
"m2_236" = "1506713014"
"m2_235" = "4066398315"
"m2_234" = "2331102712"
"m2_239" = "2417628014"
"m2_238" = "682329246"
"m2_49" = "3424863385"
"m2_48" = "1689581758"
"m2_47" = "4249243849"
"m2_46" = "2513967050"
"m2_45" = "778666128"
"m2_44" = "3338353820"
"m2_43" = "1603051715"
"m2_42" = "4162737418"
"m2_41" = "2427452863"
"m2_40" = "692190340"
"m2_38" = "1516540340"
"m2_39" = "3251825499"
"m2_32" = "3989698242"
"m2_33" = "1430028137"
"m2_30" = "519115862"
"m2_31" = "2254399775"
"m2_36" = "2340916894"
"m2_37" = "4076211581"
"m2_34" = "3165313684"
"m2_35" = "605629135"
"m2_158" = "3593002658"
"m2_159" = "1033315383"
"m2_156" = "122417416"
"m2_157" = "1857701538"
"m2_154" = "946805766"
"m2_155" = "2682085710"
"m2_152" = "1771188795"
"m2_153" = "3506485397"
"m2_150" = "2595576834"
"m2_151" = "35892040"
"m4_107" = "992514703"
"m4_106" = "3552191266"
"m4_105" = "1816900533"
"m4_104" = "81609800"
"m4_103" = "2641286363"
"m4_102" = "905995630"
"m4_101" = "3465672193"
"m4_100" = "1730381460"
"m3_131" = "3967839982"
"m4_109" = "168128873"
"m4_108" = "2727805436"
"m4_41" = "2427443317"
"m4_40" = "692152584"
"m4_43" = "1603057487"
"m4_42" = "4162734050"
"m4_45" = "778671657"
"m4_44" = "3338348220"
"m4_47" = "4249253123"
"m4_46" = "2513962390"
"m4_49" = "3424867293"
"m4_48" = "1689576560"
"m3_100" = "1713433789"
"m3_139" = "703982086"
"m3_138" = "3230366443"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_55" = "586759707"
"m1_54" = "329606035"
"m1_57" = "4286143818"
"m1_56" = "3068279466"
"m1_51" = "3269551098"
"m1_50" = "3721081366"
"m1_53" = "799595448"
"m1_52" = "1435962206"
"m1_59" = "4211268460"
"m1_58" = "3797049028"
"m3_108" = "2744413141"
"m3_109" = "184949568"
"m3_104" = "98446945"
"m3_105" = "1833490844"
"m3_106" = "3535358219"
"m3_107" = "975960230"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m3_101" = "3482491944"
"m3_102" = "922947399"
"m3_103" = "2624438002"
"m4_76" = "3033076828"
"m2_83" = "2295214378"
"m4_77" = "473400265"
"m4_234" = "2331105698"
"m1_124" = "2313608085"
"m1_125" = "2517593122"
"m1_126" = "1183919503"
"m1_127" = "4090620359"
"m1_120" = "352912710"
"m1_121" = "525920974"
"m1_122" = "1773195910"
"m1_123" = "1631511158"
"m1_128" = "1899359543"
"m1_129" = "2554552886"
"m1_238" = "3012114029"
"m1_239" = "4193671054"
"m3_187" = "2359824054"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Stvncyfrlda]
"m1_230" = "1661387702"
"m1_231" = "2772759062"
"m1_232" = "1487748725"
"m1_233" = "1330650216"
"m1_234" = "404568025"
"m1_235" = "340661447"
"m1_236" = "2360895151"
"m1_237" = "1999166397"
"m3_44" = "3354938517"
"m3_45" = "795540480"
"m3_46" = "2497408959"
"m3_47" = "4232388394"
"m3_40" = "675414817"
"m3_41" = "2444014172"
"m3_42" = "4179439051"
"m3_43" = "1586486630"
"m3_48" = "1706528345"
"m3_49" = "3441441268"
"m3_144" = "790480761"
"m3_239" = "2434362602"
"m2_186" = "641523860"
"m3_207" = "2739893002"
"m3_206" = "1004454815"
"m3_205" = "3530313824"
"m3_204" = "1828954357"
"m3_203" = "93401414"
"m3_202" = "2619377195"
"m3_201" = "884348604"
"m3_200" = "3477366529"
"m3_145" = "2492364436"
"m3_209" = "1881906644"
"m3_208" = "146399929"
"m4_178" = "3939072458"
"m4_179" = "1379395895"
"m4_176" = "468490992"
"m4_177" = "2203781725"
"m4_174" = "1292876822"
"m4_175" = "3028167555"
"m4_172" = "2117262652"
"m4_173" = "3852553385"
"m4_170" = "2941648482"
"m4_171" = "381971919"
"m2_118" = "2900839311"
"m2_119" = "341168867"
"m2_112" = "1079028740"
"m2_113" = "2814326357"
"m2_110" = "1903424635"
"m2_111" = "3638710045"
"m2_116" = "3725224478"
"m2_117" = "1165545175"
"m2_114" = "254641384"
"m2_115" = "1989940481"
"m2_185" = "3201209104"
"m2_184" = "1465912988"
"m2_187" = "2376823569"
"m4_153" = "3506477093"
"m2_181" = "555014653"
"m2_180" = "3114682902"
"m2_183" = "4025594563"
"m2_182" = "2290295026"
"m2_189" = "1552440359"
"m2_188" = "4112109057"
"m3_180" = "3097834125"
"m1_153" = "1948338955"
"m4_98" = "2554767290"
"m4_99" = "4290058023"
"m4_92" = "732957484"
"m4_93" = "2468248217"
"m4_90" = "1557343314"
"m4_91" = "3292634047"
"m4_96" = "3379153120"
"m4_97" = "819476557"
"m4_94" = "4203538950"
"m4_95" = "1643862387"
"m2_137" = "1511621791"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_138" = "3246919378"
"m2_139" = "687248129"
"m3_153" = "3489919500"
"m3_152" = "1754350225"
"m3_151" = "52482914"
"m3_150" = "2612405239"
"m3_157" = "1874411504"
"m3_156" = "105417797"
"m3_155" = "2665356502"
"m3_154" = "963407291"
"m4_217" = "2895934309"
"m4_216" = "1160643576"
"m3_159" = "1016356506"
"m3_158" = "3609964399"
"m4_213" = "249738673"
"m4_212" = "2809415236"
"m4_211" = "1074124503"
"m4_210" = "3633801066"
"m1_179" = "1430096878"
"m1_178" = "1231968881"
"m1_173" = "2481272938"
"m1_172" = "4182091649"
"m1_171" = "3492431878"
"m1_170" = "1499642644"
"m1_177" = "2647342484"
"m1_176" = "2425026954"
"m1_175" = "3004726235"
"m1_174" = "1472173135"
"m1_9" = "151879564"
"m4_218" = "336257746"
"m3_181" = "538419768"
"m1_8" = "3256253133"
"m2_211" = "1074118939"
"m2_108" = "2727811031"
"m2_206" = "987610631"
"m2_207" = "2722892376"
"m2_204" = "1811996636"
"m2_205" = "3547275357"
"m2_202" = "2636379630"
"m2_203" = "76695677"
"m2_200" = "3460767640"
"m2_201" = "901080769"
"m4_207" = "2722896163"
"m2_208" = "163222104"
"m2_209" = "1898507573"
"m3_148" = "3403350317"
"m4_236" = "1506719868"
"m2_58" = "1862608806"
"m2_59" = "3597908369"
"m3_149" = "843427928"
"m2_54" = "3511391495"
"m2_55" = "951706847"
"m2_56" = "2686995484"
"m2_57" = "127325563"
"m2_50" = "865196975"
"m2_51" = "2600479323"
"m2_52" = "40809682"
"m2_53" = "1776092050"
"m3_197" = "2532889800"
"m2_106" = "3552195858"
"m3_196" = "831399261"
"m4_200" = "3460762920"
"m3_195" = "3357379118"
"m3_194" = "1622350515"
"m4_202" = "2636377090"
"m1_61" = "1357573285"
"m3_193" = "4215368452"
"m4_203" = "76700527"
"m3_192" = "2479946729"
"m3_191" = "711346298"
"m1_218" = "3194026153"
"m4_239" = "2417624771"
"m3_190" = "3270891727"
"m4_238" = "682334038"
"m4_138" = "3246919874"
"m4_139" = "687243311"
"m4_132" = "1425110068"
"m4_133" = "3160400801"
"m4_130" = "2249495898"
"m4_131" = "3984786631"
"m4_136" = "4071305704"
"m4_137" = "1511629141"
"m4_134" = "600724238"
"m4_135" = "2336014971"
"m1_219" = "3339903988"
"m3_178" = "3955889123"
"m2_136" = "4071302274"
"m1_196" = "109216001"
"m2_141" = "4157819949"
"m2_140" = "2422535570"
"m2_143" = "3333433309"
"m2_142" = "1598151989"
"m2_145" = "2509048297"
"m2_144" = "773767117"
"m4_58" = "1862614706"
"m4_59" = "3597905439"
"m4_56" = "2687000536"
"m4_57" = "127323973"
"m4_54" = "3511386366"
"m4_55" = "951709803"
"m4_52" = "40804900"
"m4_53" = "1776095633"
"m4_50" = "865190730"
"m4_51" = "2600481463"
"m3_172" = "2133964565"
"m1_37" = "3668133303"
"m1_36" = "275077415"
"m1_35" = "805071184"
"m1_34" = "2127548871"
"m1_33" = "2453262610"
"m1_32" = "1879909220"
"m1_31" = "1933898652"
"m1_30" = "1852396027"
"m3_188" = "4095393317"
"m3_189" = "1569401168"
"m1_39" = "555649990"
"m1_38" = "3155285234"
"m1_42" = "2856522456"
"m1_43" = "3809320332"
"m1_40" = "4071759830"
"m1_41" = "3806458374"
"m1_46" = "51130063"
"m1_47" = "1746714962"
"m1_44" = "165799661"
"m1_45" = "3009313618"
"m1_48" = "1226411939"
"m1_49" = "4114743402"
"m3_119" = "357998978"
"m3_118" = "2917414423"
"m3_117" = "1148946168"
"m3_116" = "3741914957"
"m3_115" = "2006935518"
"m3_114" = "237958307"
"m3_113" = "2797356340"
"m3_112" = "1096013209"
"m3_111" = "3655416426"
"m3_110" = "1886423807"
"m1_193" = "4085995670"
"m2_95" = "1643856179"
"m1_192" = "1150121371"
"m1_137" = "4095158563"
"m1_136" = "2083075988"
"m1_135" = "3071460018"
"m1_134" = "3738776128"
"m1_133" = "3535370715"
"m1_132" = "2957545245"
"m1_131" = "1112568474"
"m1_130" = "4089361049"
"m1_212" = "2842654093"
"m1_139" = "1433852645"
"m1_138" = "3025423996"
"m1_182" = "2455791155"
"m1_183" = "3294326721"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_181" = "4017020997"
"m1_186" = "1325851643"
"m1_187" = "2359629217"
"m1_184" = "3940951267"
"m1_185" = "3417422235"
"m1_223" = "1703112392"
"m1_222" = "688254169"
"m1_188" = "342194722"
"m1_189" = "43166772"
"m1_227" = "2093017813"
"m1_226" = "3177607245"
"m1_225" = "2783514737"
"m1_224" = "44212751"
"m2_10" = "173032746"
"m2_11" = "1908331499"
"m2_12" = "3643615808"
"m2_13" = "1083945517"
"m2_14" = "2819228168"
"m2_15" = "259556002"
"m2_16" = "1994846993"
"m2_17" = "3730138108"
"m2_18" = "1170457497"
"m2_19" = "2905756539"
"m1_208" = "441110310"
"m3_71" = "2929954066"
"m3_70" = "1227955687"
"m3_73" = "2139008060"
"m3_72" = "369900673"
"m3_75" = "1280954054"
"m3_74" = "3840892843"
"m3_77" = "490007008"
"m3_76" = "3049946741"
"m3_79" = "3927378058"
"m3_78" = "2191956255"
"m2_89" = "4117015209"
"m2_88" = "2381731628"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Stvncyfrlda]
"m2_82" = "559916134"
"m2_81" = "3119601895"
"m2_80" = "1384301436"
"m2_87" = "646433765"
"m2_86" = "3206118527"
"m2_85" = "1470819220"
"m2_84" = "4030503613"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Stvncyfrlda]
"m1_98" = "1603809000"
"m3_238" = "698940799"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Stvncyfrlda]
"m3_232" = "3172438241"
"m3_233" = "578813980"
"m3_230" = "3963318727"
"m2_109" = "168127319"
"m3_236" = "1489883733"
"m3_237" = "3225308608"
"m3_234" = "2347938699"
"m3_235" = "4083360550"
"m1_203" = "3754977857"
"m4_12" = "3643619612"
"m4_13" = "1083943049"
"m4_10" = "173038146"
"m4_11" = "1908328879"
"m4_16" = "1994847952"
"m4_17" = "3730138685"
"m4_14" = "2819233782"
"m4_15" = "259557219"
"m2_105" = "1816897925"
"m2_104" = "81614804"
"m4_18" = "1170462122"
"m4_19" = "2905752855"
"m2_101" = "3465667710"
"m2_100" = "1730387478"
"m2_103" = "2641283354"
"m2_102" = "905999314"
"m2_178" = "3939067760"
"m2_179" = "1379398622"
"m2_170" = "2941642059"
"m2_171" = "381972491"
"m2_172" = "2117257922"
"m2_173" = "3852555818"
"m2_174" = "1292871920"
"m2_175" = "3028169111"
"m2_176" = "468484712"
"m2_177" = "2203783390"
"m4_161" = "208933773"
"m4_160" = "2768610336"
"m4_163" = "3679515239"
"m4_162" = "1944224506"
"m4_165" = "2855129409"
"m4_164" = "1119838676"
"m4_167" = "2030743579"
"m4_166" = "295452846"
"m4_169" = "1206357749"
"m4_168" = "3766034312"
[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2E64732F736F62616B61312E67696600687474703A2F2F34362E3130352E3130332E3231392F736F62616B61766F6C6F732E676966"
[HKCU\Software\Stvncyfrlda]
"m4_67" = "300362119"
"m4_66" = "2860038682"
"m4_65" = "1124747949"
"m4_64" = "3684424512"
"m4_63" = "1949133779"
"m4_62" = "213843046"
"m4_61" = "2773519609"
"m4_60" = "1038228876"
"m4_69" = "3770943585"
"m4_68" = "2035652852"
"m4_198" = "4285148750"
"m4_199" = "1725472187"
"m1_157" = "356126483"
"m4_195" = "3374243847"
"m4_196" = "814567284"
"m4_197" = "2549858017"
"m4_190" = "3287724774"
"m4_191" = "728048211"
"m4_192" = "2463338944"
"m4_193" = "4198629677"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| c261d39de3ab2a46cecea526211d6f79 | c:\wnwfd.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 90112 | 86528 | 5.52737 | 1daab4a59f6e608b2cfebe8c4192dc67 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
b5734d2cbbcf45b6b4a5c8e60ae9e0e6
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
KERNEL32.dll
7,.zL^o
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
f8d49dfc3feb9fe17ff662fb32e750f.exe
hXXp://padrup.com.ds/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
%original file name%.exe_1108_rwx_00401000_00001000:
KERNEL32.dll
%original file name%.exe_1108_rwx_00407000_00010000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.text
f8d49dfc3feb9fe17ff662fb32e750f.exe
hXXp://padrup.com.ds/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
h.rdla&
mH.MN8
T4.At%
S.twa
.klkjw:9fqwiBumW
.sysa
Zc.pBTa
~%s:*:yd:
.!.VF*
.d&?%x=
GUrlA'
"\'Web%w}
HTTP)s'PS
2GUARDCMD
o.ENHCDM
wWEBWUPD
MM.PF
%xn'[
>>?456789:;
!"#$%&'()* ,-./4
qn%CXf
UP*dB.PPd@.
%FoAN-x
ÄEW
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
Explorer.EXE_532_rwx_00FF0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_1108_rwx_00520000_010BA000:
hXXp://89.11
.info/home.gifIh
bW.text
JKERNEL32.dll
%x.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
.reloc
USER32.dll
h.rdata
H.data
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
KERNEL32.DLL
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
%c%d_%d
purity_control_%x
.adata
M_%d_
?456789:;<=
!"#$%&'()* ,-./0123
mong%WinDir%\
%WinDir%\hywjfubtsnl.log
hXXp://padrup.com.ds/sobaka1.gif
hXXp://46.105.103.219/sobakavolos.gif
%System%\drivers\onhpn.sys
8355317537
.rsrc
SHELL32.DLL
ShellExecuteA
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
%F" *" a
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
%original file name%.exe_1108_rwx_023D0000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
%original file name%.exe_1108_rwx_024E0000_00001000:
|%original file name%.exeM_1108_
Explorer.EXE_532_rwx_01E00000_00001000:
|explorer.exeM_532_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winrgyqr.exe (561 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (744 bytes)
C:\wnwfd.exe (99 bytes)
C:\autorun.inf (235 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winhqkyw.exe (561 bytes)
C:\totalcmd\TOTALCMD.EXE (858 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
