MD5: 90a914dd9913e7158f5c079030668d5d
SHA1: 0be834a9e2d3badbb543321e56e10290b2831596
SHA256: 2ab4b5f6b1d98c7dfd68581e4057ca2d2a9b83336c88d68589d9054bd70ba29d
SSDeep: 12288:VTyjXW 48qWywrU4kGFezOAVuJ5PINww7F5DO3HYffh2vTH:ZIXW/8yw1ez54lItF5SXYHh0H
Size: 758427 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-01-18 16:44:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:704

The Trojan injects its code into the following process(es):

rundll32.exe:1056
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (5441 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar (0 bytes)

The process rundll32.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CBB85_Rar\rundll32.exe (5441 bytes)

Registry activity

The process %original file name%.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"
"a3_149" = "1051199068"
"a3_148" = "1044210237"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422982872"
"a2_58" = "415799606"
"a2_53" = "379969460"
"a2_52" = "372801337"
"a2_51" = "365618531"
"a2_50" = "358453144"
"a2_57" = "408633617"
"a2_56" = "401468839"
"a2_55" = "394299472"
"a2_54" = "387134097"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "7374DA7B4CB6B8BEA6353FFA4E6A0EBD13A1BBA13D882624F171304B4452F2B6D354D7AF2253C465A533BE00222BFE3FF7E8F1F2A055267764C0820B45B0D6343781D54D569FBFF3F20A9EC53F3B06F20E30DA8DE1B970E96E0A2E102FDF1BBB4F8917852ECD77AE573144FB4CA9F7D9E600166CD9DF1E1AF69E566E24112410"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a3_135" = "950830350"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"
"a1_138" = "3767915578"
"a1_139" = "4098051861"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_130" = "4248472063"
"a2_155" = "1111220172"
"a1_131" = "3414221539"
"a2_153" = "1096868927"
"a2_152" = "1089701710"
"a2_99" = "709739566"
"a2_98" = "702575871"
"a2_97" = "695408273"
"a2_96" = "688242367"
"a2_95" = "681060116"
"a2_94" = "673906260"
"a2_93" = "666722820"
"a2_92" = "659557127"
"a2_91" = "652392892"
"a2_90" = "645223498"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "2978767031"
"a1_59" = "1948942902"
"a1_56" = "2342288737"
"a1_57" = "2858909479"
"a1_54" = "2042258888"
"a1_55" = "1495675559"
"a1_52" = "4048879594"
"a1_53" = "1473469772"
"a1_50" = "2111704480"
"a1_51" = "3695325421"
"a3_136" = "991836577"
"a1_155" = "1945735382"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "1117229897"
"a1_133" = "3874582488"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "463649362"
"a2_119" = "853130768"
"a1_134" = "4278971016"
"a1_135" = "2772783844"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a2_118" = "845959889"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a2_113" = "810118713"
"a2_112" = "802933559"

"a3_70" = "485103791"
"a2_110" = "788610250"
"a2_117" = "838794664"
"a2_116" = "831612363"
"a2_115" = "824446666"
"a2_114" = "817277599"
"a2_144" = "1032350139"
"a1_104" = "607441841"
"a2_145" = "1039517531"
"a2_146" = "1046685741"
"a2_147" = "1053866261"
"a2_140" = "1003679905"
"a2_141" = "1010854322"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_142" = "1018016234"
"a2_143" = "1025181667"
"a3_150" = "1092336383"
"a3_151" = "1099259678"
"a3_133" = "970345548"

[HKCU\Software\Aas\695404737]
"35845605" = "367"

[HKCU\Software\Aas]
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_115" = "807894458"
"a1_89" = "288499719"
"a1_88" = "3725461814"
"a1_85" = "858988136"
"a1_84" = "2359230873"
"a1_87" = "3000977484"
"a1_86" = "406110915"
"a1_81" = "2863634940"
"a1_80" = "1372199662"
"a1_83" = "1124493734"

"a3_110" = "771902343"
"a2_128" = "917646045"
"a2_129" = "924824056"
"a2_126" = "903315333"
"a2_127" = "910487346"
"a2_124" = "888965297"
"a3_111" = "778955814"
"a2_122" = "874630552"
"a2_123" = "881794635"
"a2_120" = "860297772"
"a2_121" = "867461936"
"a1_67" = "461340971"
"a1_66" = "4106376505"
"a1_65" = "3170945634"
"a1_64" = "2950582829"
"a1_63" = "2219207046"
"a1_62" = "3487412795"
"a1_61" = "211409830"
"a1_60" = "873425128"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a1_69" = "1899251483"
"a1_68" = "2682665734"
"a1_12" = "1327564497"
"a1_13" = "3304576595"
"a1_10" = "2829770515"
"a1_11" = "2198744957"
"a1_16" = "83704404"
"a1_17" = "669489697"
"a1_14" = "718236021"
"a1_15" = "1199964620"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "2018944401"
"a1_19" = "4255909989"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344116878"
"a2_49" = "351281456"
"a4_140" = "1003676940"
"a2_40" = "286765770"
"a2_41" = "293930310"
"a2_42" = "301099450"
"a2_43" = "308266732"
"a2_44" = "315449595"
"a2_45" = "322616222"
"a2_46" = "329785186"
"a2_47" = "336951016"
"a4_148" = "1061029908"
"a4_146" = "1046691666"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_147" = "1053860787"
"a3_140" = "986812197"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_103" = "2165118280"
"a4_145" = "1039522545"
"a4_139" = "996507819"
"a1_102" = "3973547763"
"a4_138" = "989338698"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a4_131" = "939154851"
"a1_101" = "1590031870"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a2_88" = "630887589"
"a2_89" = "638058068"
"a2_84" = "602209011"
"a2_85" = "609373463"
"a2_86" = "616541761"
"a2_87" = "623720765"
"a2_80" = "573537141"
"a3_34" = "260325067"
"a2_82" = "587859737"
"a2_83" = "595045156"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "3519163567"
"a1_28" = "2874283239"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "334921463"
"a1_22" = "3523662351"
"a1_21" = "3268050597"
"a1_20" = "287967198"
"a1_27" = "919025986"
"a1_26" = "1083642280"
"a1_25" = "437289997"
"a1_24" = "1427379021"
"a4_141" = "1010846061"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Msversion" = "2007"

[HKCU\Software\Aas]
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "554158038"
"a1_126" = "1543010176"
"a1_121" = "3161097861"
"a1_120" = "1179115185"
"a1_123" = "2259162590"
"a1_122" = "652688995"

"a2_111" = "795778256"
"a2_31" = "222248128"
"a2_30" = "215079437"
"a2_33" = "236580234"
"a2_32" = "229420462"
"a2_35" = "250913388"
"a2_34" = "243748455"
"a2_37" = "265264233"
"a2_36" = "258082523"
"a2_39" = "279612292"
"a2_38" = "272431906"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a1_137" = "3758288211"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a4_88" = "630882648"
"a4_89" = "638051769"
"a2_100" = "716906516"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a1_150" = "2389226232"
"a1_151" = "3878438399"

[HKCU\Software\Aas\695404737]
"7169121" = "123"

[HKCU\Software\Aas]
"a1_153" = "2635771470"
"a1_154" = "2304537359"
"a2_102" = "731242634"
"a2_103" = "738423864"
"a2_104" = "745594442"
"a2_105" = "752760363"
"a2_106" = "759924717"
"a2_107" = "767093650"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Aas]
"a1_96" = "2706232892"
"a2_131" = "939148475"
"a2_130" = "931977839"
"a2_133" = "953497608"
"a2_132" = "946330345"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a2_135" = "967833655"
"a2_134" = "960667564"
"a1_107" = "782952190"
"a2_137" = "982166078"
"a1_106" = "1330558835"
"a2_136" = "974996571"
"a1_105" = "374304375"
"a1_98" = "4140502380"
"a1_99" = "576557497"
"a1_92" = "3342425486"
"a1_93" = "1586062086"
"a1_90" = "3772481185"
"a1_91" = "2605829941"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "243029257"
"a1_94" = "2923823450"
"a1_95" = "1751234470"
"a2_75" = "537686819"
"a2_74" = "530520955"
"a2_77" = "552021916"
"a2_76" = "544855771"
"a2_71" = "509001822"
"a2_70" = "501830171"
"a2_73" = "523338838"
"a2_72" = "516168479"
"a2_139" = "996515073"
"a2_138" = "989333167"
"a1_100" = "666273977"
"a2_79" = "566355000"
"a2_78" = "559188494"
"a1_74" = "1130615635"
"a1_75" = "690686929"
"a1_76" = "1473609080"
"a1_77" = "1415501028"
"a1_70" = "3708589279"
"a1_71" = "406658711"
"a1_72" = "2609427981"
"a1_73" = "1914291475"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "2047195226"
"a1_79" = "3775692182"
"a3_123" = "898388146"
"a3_122" = "891468819"
"a3_121" = "850861040"
"a3_120" = "843343697"
"a1_109" = "4039422960"
"a3_127" = "927442486"
"a1_108" = "3707482032"
"a3_126" = "886312343"
"a1_0" = "3299283285"
"a3_125" = "879323508"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_124" = "905966805"
"a1_2" = "919573244"
"a1_3" = "828583069"
"a1_4" = "1716250833"
"a1_5" = "3190497201"
"a1_6" = "4262868475"
"a1_7" = "3989152233"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "3400036303"
"a1_117" = "2274793752"
"a1_110" = "3972584301"
"a1_111" = "4274369659"
"a1_112" = "2328916030"
"a1_9" = "2841996467"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580705275"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a3_112" = "785940569"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Aas]
"a4_128" = "917647488"
"a4_129" = "924816609"
"a3_113" = "826942712"
"a2_101" = "724078348"
"a1_38" = "1132573485"
"a1_39" = "1539644586"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "529336622"
"a1_31" = "2422352769"
"a1_32" = "4085025691"
"a1_33" = "1907857644"
"a1_34" = "3810007350"
"a1_35" = "2438776411"
"a1_36" = "1432891901"
"a1_37" = "2377724742"
"a2_108" = "774273145"
"a2_109" = "781428138"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_1" = "1129195820"
"a2_28" = "200730131"
"a2_29" = "207912552"
"a2_26" = "186389520"
"a2_27" = "193560706"
"a2_24" = "172051666"
"a2_25" = "179236332"
"a2_22" = "157725604"
"a2_23" = "164897149"
"a2_20" = "143379590"
"a2_21" = "150546381"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176139"
"a2_6" = "43022529"
"a2_5" = "35843210"
"a2_4" = "28675097"
"a2_3" = "21510054"
"a2_2" = "14341597"
"a2_1" = "7175664"
"a2_0" = "9832"
"a2_9" = "64524712"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "2964332635"
"a1_142" = "146780567"
"a1_141" = "3395938350"
"a1_140" = "3014508375"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "2303971897"
"a1_144" = "2222538468"
"a3_52" = "389745053"
"a1_129" = "995106232"
"a2_8" = "57360237"
"a1_128" = "652215625"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104036235"
"a1_149" = "778815788"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "2391700498"
"a1_148" = "3272558557"
"a1_124" = "1282967730"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 4F AF 14 B9 B4 62 24 30 7A BF 83 80 16 7D B2"

[HKCU\Software\Aas]
"a2_125" = "896147114"
"a1_147" = "2152383229"
"a1_146" = "1203558022"
"a1_8" = "4063377757"
"a1_82" = "3641669083"
"a2_62" = "444487128"
"a2_63" = "451646997"
"a2_60" = "430152535"
"a2_61" = "437319392"
"a2_66" = "473169273"
"a2_67" = "480339762"
"a2_64" = "458833036"
"a2_65" = "465987462"
"a2_68" = "487492329"
"a2_69" = "494671494"
"a2_148" = "1061035752"
"a2_149" = "1068200424"
"a1_41" = "2467347674"
"a1_40" = "1971514006"
"a1_43" = "1653158786"
"a1_42" = "83234739"
"a1_45" = "404128563"
"a1_44" = "3231434740"
"a1_47" = "3068893843"
"a1_46" = "1480344229"
"a1_49" = "2276740806"
"a1_48" = "2207619950"
"a4_144" = "1032353424"

[HKCU\Software\Aas\695404737]
"43014726" = "0900687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E676966"

[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a1_114" = "4010823525"
"a1_115" = "1713967243"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a1_113" = "630860932"
"a3_38" = "289377359"
"a3_39" = "296296686"

"a3_130" = "915379051"
"a3_131" = "922302346"
"a1_118" = "1153902031"

"a3_132" = "962897965"
"a1_119" = "3599727070"
"a2_17" = "121878223"
"a2_16" = "114711323"
"a2_15" = "107528834"
"a2_14" = "100363147"
"a2_13" = "93192567"
"a2_12" = "86026347"
"a2_11" = "78858924"
"a2_10" = "71683025"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_134" = "943841519"
"a2_19" = "136212468"
"a2_18" = "129044565"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a2_151" = "1082532560"
"a2_150" = "1075365891"
"a3_145" = "1022800088"
"a3_144" = "1015749817"
"a3_147" = "1070844314"
"a3_146" = "1063277947"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a3_143" = "1008236550"
"a3_142" = "1034864615"
"a1_152" = "3769055733"
"a4_117" = "838787157"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

The process rundll32.exe:1056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 6C 4D AB 83 CA 5A 1F 86 73 98 FE 70 ED 9F DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
0765c49460a50e4d83dd490686641e45

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

.rdata

.data

.rsrc

!"#$%%&'())* ,-./0123456789:;<""=>

T$%UR

RSSh<RI

RSSh@SI

xSSSh

FTPjKS

FtPj;S

C.PjRV

portuguese-brazilian

GetProcessWindowStation

operator

AutoHotkey

AppsKey

ListHotkeys

KeyHistory

DetectHiddenWindows

SetKeyDelay

KeyWait

GetKeyState

URLDownloadToFile

MsgBox

IfMsgBox

Hotkey

AHK Keybd

Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).

E7 X

X X

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

Nonexistent hotkey. The current thread will exit.

Nonexistent hotkey variant (IfWin). The current thread will exit.

Max hotkeys.

The AltTab hotkey "%s" must specify which key (L or R).

The AltTab hotkey "%s" must have exactly one modifier/prefix.

"%s" is not allowed as a prefix key.

"%s" is not a valid key name. The current thread will exit.

SCx

%s[%Iu of %Iu]: %-1.60s%s

%s[Object]: 0x%p

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%s\%s

AutoHotkey2

Critical Error: %s

<>=/|^,:*&~!()[] -?."'\;`{}

>AUTOHOTKEY SCRIPT<

Could not extract script from EXE.

<>=/|^,:

<>=/|^,:. -*&!?~

Join

Hotkeys/hotstrings are not allowed inside functions.

Duplicate hotkey.

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

*%s::

if not GetKeyState("%s")

{Blind}%s%s{%s DownTemp}

*%s up::

{Blind}{%s Up}

#InstallKeybdHook

#HotkeyModifierTimeout

#HotkeyInterval

#MaxHotkeysPerInterval

#MaxThreadsPerHotkey

#KeyHistory

#MenuMaskKey

: -*/|&^.

<>=/|^,:*&~!()[] -?."

Invalid hotkey.

"%s" requires at least %d parameter%s.

"%s" requires that parameter #%u be non-blank.

<>=/|^,:*&~!()[]"

<>=/|^,:*&~!()[] -?

Unsupported use of "."

<>=/|^,:*&~!()[] -?.

Unsupported parameter default.

HasKey

detecthiddenwindows

keydelay

subkey

thishotkey

priorhotkey

timesincethishotkey

timesincepriorhotkey

Unsupported use of "["

Too many parameters passed to function.

Too few parameters passed to function.

%s%s%s

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

u:

if %s %s %s and %s

%s%s %s %s

For %s,%s in %s

%s (%d) : ==> %s

Specifically: %s

in #include file "%s"

%s%s:%s %-1.500s

Specifically: %-1.100s%s

Error at line %u

Line Text: %-1.100s%s

Local Variables for %s()%s

%sGlobal Variables (alphabetical)%s

Window: %s

Keybd hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

Key History has been disabled via #KeyHistory 0.

System verbs unsupported with RunAs. The current thread will exit.

%s %s

.exe.bat.com.cmd.hta

Verb: <%s>

Action: <%-0.400s%s>%s

Params: <%-0.400s%s>

EndKey:

0xX

0xX

%sLeft

%sTop

%sRight

%sBottom

\AU3_Spy.exe"

%sAU3_Spy.exe"

\AutoHotkey.chm"

%sAutoHotkey.chm"

hh.exe

hXXp://VVV.autohotkey.com

Could not open URL hXXp://VVV.autohotkey.com in default browser.

SOFTWARE\AutoHotkey

AutoHotkey v1.0.92.02

set cdaudio door %s wait

open %s type cdaudio alias cd wait shareable

set cd door %s wait

\\.\%c:

Mixer Doesn't Support This Component Type

Component Doesn't Support This Control Type

open "%s" alias AHK_PlayMe

Select File - %s

%s%c%sÊll Files (*.*)%c*.*%c

All Files (*.*)

Text Documents (*.txt)

*.txt

1.0.92.02

\AutoHotkey.exe

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Pos%s

Len%s

Pos%d

Len%d

Compile error %d at offset %d: %s

RunAs: Missing advapi32.dll. The current thread will exit.

0.0.0.0

InternetOpenUrlA

Select Folder - %s

%u.%u.%u.%u

0xX -

%s%ws

AutoHotkeyGUI

%dGui

Button%s

msctls_hotkey32

Report

Password

vkX

Supported only for the tray menu The current thread will exit.

&Suspend Hotkeys

dd

dddddd

GdiplusShutdown

The following %s name contains an illegal character:

"%-1.300s"%s

The maximum number of MsgBoxes has been reached.

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

Error text not found (please report)

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardLayout

SetWindowsHookExA

UnhookWindowsHookEx

RegisterHotKey

UnregisterHotKey

GetAsyncKeyState

GetKeyboardState

SetKeyboardState

keybd_event

VkKeyScanExA

GetKeyNameTextA

MapVirtualKeyA

EnumChildWindows

EnumWindows

ExitWindowsEx

USER32.dll

GDI32.dll

COMDLG32.dll

RegCloseKey

RegOpenKeyExA

RegQueryInfoKeyA

RegEnumKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

ShellExecuteExA

SHFileOperationA

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

GetProcessHeap

zcÁ

-()[]{}:;'"/\,.?!

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe

%Documents and Settings%\%current user%\Application Data\Microsoft\Office

#%'''<[[^^\\]

"%<aabm^^m

$-8GGhnsrr}

$-9GGggs}s

%Mgr.RhY4RfE5Qd:f

PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.48.05" processorArchitecture="*" name="Microsoft.Windows.AutoHotkey" type="win32"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PADDINGXXPADDINGPADD

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe

rundll32.exe

%UzU_

hXXp://pelcpawel.fm.interia.pl/logos.gif

hXXp://chicostara.com/logof.gif

hXXp://suewyllie.com/images/logos.gif

hXXp://dewpoint-eg.com/images/logosa.gif

hXXp://VVV.ceylanogullari.com/logof.gif

hXXp://VVV.bluecubecreatives.com/logos.gif

hXXp://724hizmetgrup.com/images/logosa.gif

hXXp://yavuztuncil.ya.funpic.de/images/logos.gif

hXXp://cevatpasa.com/images/logos.gif

4/images/logos.gif

uCo9%f

%F`;O

hXXp://89.11

.info/home.gifI

W.text

L32.dll

^p.At%

rnl.exe?

= =$=(=,=0=4=8=<=@

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;<=

!"#$%&'()* ,-./01230 0

MSVCRT.dll

WS2_32.dll

[y$%f

0%s?\5

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

&Lines most recently executed

&Hotkeys and their methods

&Key history and script info

&Web Site

rundll32.exe_1056_rwx_003C0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

%UzU_

rundll32.exe_1056_rwx_003D0000_00001000:

|rundll32.exeM_1056_

rundll32.exe_1056_rwx_004AE000_00011000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\000CBB85_Rar\rundll32.exe

rundll32.exe

.rsrc

.text

%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe

%UzU_

hXXp://pelcpawel.fm.interia.pl/logos.gif

hXXp://chicostara.com/logof.gif

hXXp://suewyllie.com/images/logos.gif

hXXp://dewpoint-eg.com/images/logosa.gif

hXXp://VVV.ceylanogullari.com/logof.gif

hXXp://VVV.bluecubecreatives.com/logos.gif

hXXp://724hizmetgrup.com/images/logosa.gif

hXXp://yavuztuncil.ya.funpic.de/images/logos.gif

hXXp://cevatpasa.com/images/logos.gif

4/images/logos.gif

uCo9%f

%F`;O

hXXp://89.11

.info/home.gifI

W.text

L32.dll

^p.At%

rnl.exe?

= =$=(=,=0=4=8=<=@

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;<=

!"#$%&'()* ,-./01230 0

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

Explorer.EXE_532_rwx_00FF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

%UzU_

Explorer.EXE_532_rwx_01E00000_00001000:

|explorer.exeM_532_

Explorer.EXE_532_rwx_03CF0000_0108E000:

c:\windows

hXXp://pelcpawel.fm.interia.pl/logos.gif

hXXp://chicostara.com/logof.gif

hXXp://suewyllie.com/images/logos.gif

hXXp://dewpoint-eg.com/images/logosa.gif

hXXp://VVV.ceylanogullari.com/logof.gif

hXXp://VVV.bluecubecreatives.com/logos.gif

hXXp://724hizmetgrup.com/images/logosa.gif

hXXp://yavuztuncil.ya.funpic.de/images/logos.gif

hXXp://cevatpasa.com/images/logos.gif

%System%\drivers\okskr.sys

%UzU_

8316872595

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

ipfltdrv.sys

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

rnl.exe?

= =$=(=,=0=4=8=<=@

rv:1.9.2.3)

.NEtCLR

.klkjw:9fqwiBu

f3a.sysB

D6c.pBTab

drfig%s:*:

0}.T&?%x=

~UrlA'W

\'Web%

HTTP)s'PJ

o.ENHCD

KPCKwWEBWUPD

>*?456789:;<=

!"#$%&'()* ,-./01230 0

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:704
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe (5441 bytes)
   %WinDir%\system.ini (70 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB0C7_Rar\%original file name%.exe (5441 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBB85_Rar\rundll32.exe (5441 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft Windows" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Office\rundll32.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.