Win32.Sality.3_b01d649073
not-a-virus:AdWare.Win32.MMag.k (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: b01d6490737fc0afc9263566d3d3b24c
SHA1: 84ce1fdfc6fe81ad38404de4842c9fb261364cab
SHA256: 6896d409cb667cbd07da08cbfc6873bf9188355312a3503c6dcbbf8c036d33d8
SSDeep: 6144:nmsJ6rHkhjYXUjo4HE888888888888W88888888888G81VlL8mw Ynnm:nZ6rHkhjYXU 888888888888W8888888
Size: 316680 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-03-05 20:56:18
Analyzed on: WindowsXP SP3 32-bit
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
No processes have been created.
The Worm injects its code into the following process(es):
%original file name%.exe:680
Explorer.EXE:1988
Mutexes
The following mutexes were created/opened:
wmiprvse.exeM_1928_
vmtoolsd.exeM_832_
jqs.exeM_324_
mscorsvw.exeM_284_
spoolsv.exeM_1432_
svchost.exeM_1100_
%original file name%.exeM_680_
svchost.exeM_932_
winlogon.exeM_716_
csrss.exeM_692_
services.exeM_760_
lsass.exeM_772_
smss.exeM_644_
si_none
ShimCacheMutex
uxJLpe1m
File activity
The process %original file name%.exe:680 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\spdysett.dat (837 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 (98 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\altdebugger.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (552 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\override_downloaded.ini (15 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\brndlog.bak (141 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\autoupdate_region.dat (15 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (94 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\oprand.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\da8a6d9b-7419-47f6-93ae-62ef84961c9b (388 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Office\Recent\Desktop.ini (95 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\boot.ini (211 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\toc.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst (979 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\HTML Help\hh.dat (8 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD (558 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\135BD6A358680A7BF1CCEC7C0172393D (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\si_none_2014-08-17_02_28_20.log (352 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\Themes\Custom.theme (5 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 (126 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opcert6.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD (558 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\#SharedObjects\8EJ7PEAE\s.ytimg.com\videostats.sol (218 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disablefloats.css (229 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A1377F7115F1F126A15360369B165211 (597 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\structuretables.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\speeddial.ini (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (168 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\bookmarks.adr (5 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\sessions\autosave.win (20 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\sessions\autosave.win.bak (19 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\tasks.xml (431 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\windows-opengl.blocklist.json (6 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 (341 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\download.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\optrust.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\%original file name%.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD (146 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opthumb.dat (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\vlink4.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\tablelayout.css (258 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\structureblock.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\settings.sol (81 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 (413 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\windows-direct3d-10.blocklist.json (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst (979 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\operaprefs.ini (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disablebreaks.css (213 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\UserCache.bin (13 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\accessibility.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf (79 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\browser.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\Preferred (24 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 (550 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opssl6.dat (11 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 (126 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\settings.sol (81 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\135BD6A358680A7BF1CCEC7C0172393D (132 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\wand.dat (439 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\cookies4.dat (20 bytes)
C:\autorun.inf (194 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opicacrt6.dat (9 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\#SharedObjects\8EJ7PEAE\s.ytimg.com\videostats.sol (218 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\webserver\users.xml (35 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\autoupdate_response.xml (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst (19 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opuntrust.dat (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\tips.ini (291 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opcacrt6.dat (26 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (10 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (506 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (506 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\135BD6A358680A7BF1CCEC7C0172393D (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\GHISLER\wincmd.ini (2 bytes)
C:\ssgbo.pif (103 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst (19 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 (98 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 (413 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\83aa4cc77f591dfc2374580bbd95f6ba_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (45 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A1377F7115F1F126A15360369B165211 (142 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouxnuc.exe (741 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 (164 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\contrastbw.css (673 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A1377F7115F1F126A15360369B165211 (597 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\135BD6A358680A7BF1CCEC7C0172393D (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (156 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Desktop.htt (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disabletables.css (410 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 (164 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\structureinline.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (168 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (94 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\%original file name%.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\typed_history.xml (363 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (10 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 (341 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A1377F7115F1F126A15360369B165211 (142 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Protect\CREDHIST (160 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\SharedDataEvents (3 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\SharedDataEvents (3 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (521 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (601 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (521 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\classid.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\outline.css (735 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\GHISLER\wincmd.ini (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\global_history.dat (17 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\dictionaries\dictionaries.xml (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disableforms.css (269 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 (550 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (779 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\search_field_history.dat (486 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (601 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\UserCache.bin (13 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\6b29ae44e85efac3c72ff4d1865d73f1_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (53 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (156 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (552 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\boot.ini (211 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD (146 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\contrastwb.css (705 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disablepositioning.css (243 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ouxnuc.exe (0 bytes)
Registry activity
The process %original file name%.exe:680 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_0" = "3299283285"
[HKCU\Software\Aas\695404737]
"35845605" = "509"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas\695404737]
"50183847" = "78674806A3861F72F7FBBF4459E2447BBB1A42BFC7AD3F9F8B6242699C86EB9DDA33E7F1CEC726A6BBFFC5F57712CCF7F1343FF5179C3FA5BE9D7D0CD1DB4A0B001DC22F1A3E3F9D40B2C10E1AAC3438B4AD546A932C794F41D6E3C5C12AC455E21F3013ED8634C8F551DD13DBE206D40FD35D5B18B779A77309D5F74D48F7FD"
"43014726" = "0E00687474703A2F2F626172616B616D6564696170726F64756374696F6E2E636F6D2F696D616765732F78732E6A706700687474703A2F2F61636375726F2E637A2F6C6F676F2E67696600687474703A2F2F6261792D6265652E636F2E756B2F696D616765732F78732E6A706700687474703A2F2F6D616E617965726E616A642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6172746964696C2E6E65742F696D616765732F78732E6A706700687474703A2F2F666F726170726F6C6574617269616E70617274792E6F72672F6C6F676F662E67696600687474703A2F2F64657369676E7363617065756B2E636F6D2F78732E6A706700687474703A2F2F636F6E73656E736F2E636F6D2E62722F732E6A706700687474703A2F2F6B6172616B7572746C74642E636F6D2F696D672F78732E6A706700687474703A2F2F7777772E6A766D6F6E6C696E652E636F6D2F732E6A706700687474703A2F2F616C6963616E686F74656C2E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F6C696D6B6F6B77696E672D746F6D6F72726F772E6F72672F696D616765732F732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E67696600687474703A2F2F61636164656D69636F766572736561732E6E65742F696D616765732F7873322E6A7067"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "131"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\si\none]
"Installed" = "2014-08-17 02:28:28"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 69 7C AB 45 5B E3 88 E3 E7 98 99 83 A9 61 30"
[HKCU\Software\Aas]
"a2_0" = "9832"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"si_none" = "%Documents and Settings%\%current user%\Application Data\si_none\%original file name%.exe --continue"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Dropped PE files
| MD5 | File path |
|---|---|
| 4751015c9c310b34880796ef4f96d9eb | c:\ssgbo.pif |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 186272 | 186368 | 4.45204 | 296b2dc9c305e174670a9d5217a05486 |
| .itext | 192512 | 2436 | 2560 | 4.07664 | d51046efc54c6e4212389b14084cc67d |
| .data | 196608 | 4248 | 4608 | 2.04953 | 91ba3100da180b41462569790bdb67e3 |
| .bss | 204800 | 21080 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 229376 | 5528 | 5632 | 3.48702 | 2cc961f40ddb3562f89c38316daa28b1 |
| .tls | 237568 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 241664 | 24 | 512 | 0.14174 | 757a2ff6f1456323c6023eea46c2f69c |
| .rsrc | 245760 | 114688 | 112640 | 4.95987 | af44b0d619107abcdd454b006e0ee08d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Worm connects to the servers at the folowing location(s):
.text
`.itext
.data
.idata
.rdata
@.rsrc
ENoMonitorSupportException
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
etNoMonitorSupportException
Operator
EVariantBadIndexError
EVariantBadIndexErrorT
Windows
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
kernel32.dll
GetKeyState
gdi32.dll
GetCPInfo
RegQueryInfoKeyW
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyExW
SHFolder.dll
KWindows
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\si_none_2014-08-17_02_28_20.log
.rsrc
.itext
c:\%original file name%.exe
hXXp://barakamediaproduction.com/images/xs.jpg
hXXp://accuro.cz/logo.gif
hXXp://bay-bee.co.uk/images/xs.jpg
hXXp://manayernajd.com/images/logo.gif
hXXp://artidil.net/images/xs.jpg
hXXp://foraproletarianparty.org/logof.gif
hXXp://designscapeuk.com/xs.jpg
hXXp://consenso.com.br/s.jpg
hXXp://karakurtltd.com/img/xs.jpg
hXXp://VVV.jvmonline.com/s.jpg
hXXp://alicanhotel.com/images/logof.gif
hXXp://limkokwing-tomorrow.org/images/s.jpg
hXXp://68.168.222.206/logos.gif
hXXp://academicoverseas.net/images/xs2.jpg
@8.222.206/logos.gif
.info/J
home.gifI888
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50727)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
SHFileOperationA
5-2-S}
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
Urlmon.dll
URLDownloadToFileW
, exePath:
firefox.exe
NewFFInstaller exeName:
\install.rdf
Mozilla\Firefox\
profiles.ini
TFFInstaller.InstallPlugins find profile:
, plKey:
Balanced tree root node level is %d
chrome
NewChInstaller exeName:
TChInstaller.LockFiles find profile:
\config.json
TChInstaller.InstallPlugins profile:
\manifest.json
opera.exe
Opera.exe
oldopera
Opera\Opera\
Opera\Opera x64\
Opera\Opera x64\trusted_repositories.ini
Opera\Opera\trusted_repositories.ini
NewOOInstaller exeName:
widgets.dat
\opera_wuid.txt
\opera.white.txt
patch widgets.dat res:
CloseAndSave widgets.dat res:
nichrome.exe
Nichrome\
NewNiChInstaller exeName:
Launcher.exe
Opera Software\
NewOInstaller exeName:
TOInstaller.LockFiles find profile:
Software\Microsoft\Windows\CurrentVersion\Run\
:Zone.Identifier
main.ini
Invalid file name - %s The specified file was not found#''%s'' is not a valid integer value
Interface not supported
Object lock not owned(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
('%s' is not a valid floating point valueI/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
%original file name%.exe_680_rwx_0042F000_00001000:
main.ini
Software\Microsoft\Windows\CurrentVersion\Run\
%original file name%.exe_680_rwx_00446000_00011000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\si_none_2014-08-17_02_28_20.log
.rsrc
.itext
c:\%original file name%.exe
hXXp://barakamediaproduction.com/images/xs.jpg
hXXp://accuro.cz/logo.gif
hXXp://bay-bee.co.uk/images/xs.jpg
hXXp://manayernajd.com/images/logo.gif
hXXp://artidil.net/images/xs.jpg
hXXp://foraproletarianparty.org/logof.gif
hXXp://designscapeuk.com/xs.jpg
hXXp://consenso.com.br/s.jpg
hXXp://karakurtltd.com/img/xs.jpg
hXXp://VVV.jvmonline.com/s.jpg
hXXp://alicanhotel.com/images/logof.gif
hXXp://limkokwing-tomorrow.org/images/s.jpg
hXXp://68.168.222.206/logos.gif
hXXp://academicoverseas.net/images/xs2.jpg
@8.222.206/logos.gif
.info/J
home.gifI888
.text
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50727)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
5-2-S}
%original file name%.exe_680_rwx_00A40000_0108E000:
c:\windows
hXXp://barakamediaproduction.com/images/xs.jpg
hXXp://accuro.cz/logo.gif
hXXp://bay-bee.co.uk/images/xs.jpg
hXXp://manayernajd.com/images/logo.gif
hXXp://artidil.net/images/xs.jpg
hXXp://foraproletarianparty.org/logof.gif
hXXp://designscapeuk.com/xs.jpg
hXXp://consenso.com.br/s.jpg
hXXp://karakurtltd.com/img/xs.jpg
hXXp://VVV.jvmonline.com/s.jpg
hXXp://alicanhotel.com/images/logof.gif
hXXp://limkokwing-tomorrow.org/images/s.jpg
hXXp://68.168.222.206/logos.gif
hXXp://academicoverseas.net/images/xs2.jpg
%System%\drivers\jmoskn.sys
15276569077
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.itext
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
.text
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50727)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
%original file name%.exe_680_rwx_02410000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.itext
%original file name%.exe_680_rwx_02520000_00001000:
|%original file name%.exeM_680_
Explorer.EXE_1988_rwx_01450000_00002000:
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.itext
Explorer.EXE_1988_rwx_016B0000_00001000:
|explorer.exeM_1988_
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\spdysett.dat (837 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 (98 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\altdebugger.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (552 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\override_downloaded.ini (15 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\brndlog.bak (141 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\autoupdate_region.dat (15 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (94 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\oprand.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\da8a6d9b-7419-47f6-93ae-62ef84961c9b (388 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Office\Recent\Desktop.ini (95 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\boot.ini (211 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\toc.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst (979 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\HTML Help\hh.dat (8 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD (558 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\135BD6A358680A7BF1CCEC7C0172393D (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\si_none_2014-08-17_02_28_20.log (352 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\Themes\Custom.theme (5 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 (126 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (1336 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opcert6.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD (558 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\#SharedObjects\8EJ7PEAE\s.ytimg.com\videostats.sol (218 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disablefloats.css (229 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A1377F7115F1F126A15360369B165211 (597 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\structuretables.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\speeddial.ini (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (168 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\bookmarks.adr (5 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\sessions\autosave.win (20 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\sessions\autosave.win.bak (19 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\tasks.xml (431 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\windows-opengl.blocklist.json (6 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 (341 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\download.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\optrust.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\%original file name%.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD (146 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opthumb.dat (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\vlink4.dat (12 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\tablelayout.css (258 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\structureblock.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\settings.sol (81 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 (413 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\windows-direct3d-10.blocklist.json (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst (979 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\operaprefs.ini (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disablebreaks.css (213 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\UserCache.bin (13 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\accessibility.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf (79 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\browser.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\Preferred (24 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 (550 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opssl6.dat (11 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8 (126 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\settings.sol (81 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\135BD6A358680A7BF1CCEC7C0172393D (132 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\wand.dat (439 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\cookies4.dat (20 bytes)
C:\autorun.inf (194 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opicacrt6.dat (9 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\#SharedObjects\8EJ7PEAE\s.ytimg.com\videostats.sol (218 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\webserver\users.xml (35 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\autoupdate_response.xml (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst (19 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opuntrust.dat (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\tips.ini (291 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\opcacrt6.dat (26 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (10 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (506 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (506 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\135BD6A358680A7BF1CCEC7C0172393D (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\GHISLER\wincmd.ini (2 bytes)
C:\ssgbo.pif (103 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst (19 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165 (98 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165 (413 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\83aa4cc77f591dfc2374580bbd95f6ba_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (45 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A1377F7115F1F126A15360369B165211 (142 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ouxnuc.exe (741 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 (164 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\contrastbw.css (673 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\A1377F7115F1F126A15360369B165211 (597 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\135BD6A358680A7BF1CCEC7C0172393D (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (156 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Desktop.htt (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9 (132 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (100 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disabletables.css (410 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\F90F18257CBB4D84216AC1E1F3BB2C76 (164 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\structureinline.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (168 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (94 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\%original file name%.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\typed_history.xml (363 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (10 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8 (341 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A1377F7115F1F126A15360369B165211 (142 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Protect\CREDHIST (160 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\SharedDataEvents (3 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\SharedDataEvents (3 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (521 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (601 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (521 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\classid.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\outline.css (735 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\GHISLER\wincmd.ini (2 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\global_history.dat (17 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\dictionaries\dictionaries.xml (4 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disableforms.css (269 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\F90F18257CBB4D84216AC1E1F3BB2C76 (550 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (779 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\search_field_history.dat (486 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (124 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (601 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Adobe\Acrobat\9.0\UserCache.bin (13 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\6b29ae44e85efac3c72ff4d1865d73f1_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (53 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (156 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (552 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\boot.ini (211 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD (146 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\contrastwb.css (705 bytes)
%Documents and Settings%\%current user%\Application Data\si_none\Documents and Settings\"%CurrentUserName%"\Application Data\Opera\Opera\styles\user\disablepositioning.css (243 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"si_none" = "%Documents and Settings%\%current user%\Application Data\si_none\%original file name%.exe --continue" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
