MD5: 62b9740ef53859645afe21302679efab
SHA1: 288ef64677f6c0a081afa371d3988557a92681cc
SHA256: b5eb345ea67595717f78792f475b240348389f9a43b276a369d0b5d5495878a8
SSDeep: 98304:wxbrPRZxMGI KwZEAMuJH8hYyeAUtG0XtZuzXyFNHzLQJFvAPasQbJFjKiD:kbVTM ZOuJHsUtG0Xt1JzLyvWasQLKs
Size: 4638104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-11 23:03:36
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):
No processes have been created.
The Worm injects its code into the following process(es):

%original file name%.exe:368
Explorer.EXE:884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:368 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\rbagfu.pif (103 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windrvnsg.exe (741 bytes)
C:\autorun.inf (224 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\windrvnsg.exe (0 bytes)

Registry activity

The process %original file name%.exe:368 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
"UacDisableNotify" = "1"
"FirewallDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: Shopper-Pro
Product Version: 2.0.7791.1486
Legal Copyright:
Legal Trademarks:
Original Filename: ShopperProFull.exe
Internal Name:
File Version: 2.0.7791.1486
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

.text

.rdata

.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\AccDownload.dll

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\AccDownload.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl3.tmp\AccDownload.dll

HTTPt

`.rdata

@.data

@.reloc

tLSSh

KERNEL32.DLL

EnumWindows

nsProcess.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

00=0\0

9"9*90959;9

3-3/565<5

2,212?2 424

7(:,:0:4:8:<:

9 9$9(9,9

0 0@0`0|0

h6.td

7-.id

ld<

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl4.tmp

nsl4.tmp

30431343

%original file name%.exe

c:\%original file name%.exe

%Program Files%\ShopperPro

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

201982611

/SETUP /driver /nochrome

986138972

)-.Yln

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00128BEC_Rar\%original file name%.exe

y$.lk

hXXp://VVV.artiplexi.com/images/image.gif

hXXp://vitinhduycuong.com/images/logo.gif

hXXp://VVV.cupress.chula.ac.th/images/image.gif

hXXp://bitelindia.com/images/bottom.gif

hXXp://lsquaretarlac.com/images/image.gif

hXXp://VVV.corpnox-technologie.fr/bottom.gif

hXXp://VVV.wto.net.my/images/bottom.gif

hXXp://203.146.43.35/logo.gif

ri.com.br/images/image.gif

hXXp://kiwimilk-viet.com.vn/image.gif

&ai.1008biz.com/images/logo.gif

.info/J

home.gifI888

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

MSVCRT.dll

WS2_32.dll

NTDLL.DLL

2.0.7791.1486

ShopperProFull.exe

%original file name%.exe_368_rwx_003E0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

y$.lk

%original file name%.exe_368_rwx_003F0000_00001000:

|%original file name%.exeM_368_

%original file name%.exe_368_rwx_00437000_00011000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00128BEC_Rar\%original file name%.exe

%original file name%.exe

.rsrc

.text

c:\%original file name%.exe

y$.lk

hXXp://VVV.artiplexi.com/images/image.gif

hXXp://vitinhduycuong.com/images/logo.gif

hXXp://VVV.cupress.chula.ac.th/images/image.gif

hXXp://bitelindia.com/images/bottom.gif

hXXp://lsquaretarlac.com/images/image.gif

hXXp://VVV.corpnox-technologie.fr/bottom.gif

hXXp://VVV.wto.net.my/images/bottom.gif

hXXp://203.146.43.35/logo.gif

ri.com.br/images/image.gif

hXXp://kiwimilk-viet.com.vn/image.gif

&ai.1008biz.com/images/logo.gif

.info/J

home.gifI888

KERNEL32.dll

h.rata

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

%original file name%.exe_368_rwx_00A30000_0108E000:

c:\windows

hXXp://VVV.artiplexi.com/images/image.gif

hXXp://vitinhduycuong.com/images/logo.gif

hXXp://VVV.cupress.chula.ac.th/images/image.gif

hXXp://bitelindia.com/images/bottom.gif

hXXp://lsquaretarlac.com/images/image.gif

hXXp://VVV.corpnox-technologie.fr/bottom.gif

hXXp://VVV.wto.net.my/images/bottom.gif

hXXp://203.146.43.35/logo.gif

%System%\drivers\gjjkun.sys

y$.lk

12150625987

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

Explorer.EXE_884_rwx_01C90000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

y$.lk

Explorer.EXE_884_rwx_01CA0000_00001000:

|explorer.exeM_884_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   C:\rbagfu.pif (103 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\windrvnsg.exe (741 bytes)
   C:\autorun.inf (224 bytes)
   %Program Files%\Common Files\Java\Java Update\jusched.exe (368 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.