Win32.Sality.3_eb4094e00e

by malwarelabrobot on October 8th, 2015 in Malware Descriptions.

Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: eb4094e00e7960347d98948100911f59
SHA1: a609771f95af60931fbaa95502f5c6cf4098877a
SHA256: 16df481ce7c999bb71a36257d812dcc52d15301ab94eb64098adf439330d370b
SSDeep: 24576:FhMLKmtvPyHu7LkZt0JIig/7GlbqsDCBV1 :riKmHyOsZt0KYU
Size: 972768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Cinema_PlusV24.09
Created at: 2015-06-16 22:41:01
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:368

The Worm injects its code into the following process(es):

%original file name%.exe:716
%original file name%.exe:1512
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:

%original file name%.exeM_716_
wmiprvse.exeM_1864_
wuauclt.exeM_1648_
vmtoolsd.exeM_1740_
spoolsv.exeM_1424_
svchost.exeM_1084_
jqs.exeM_1640_
svchost.exeM_904_
vmacthlp.exeM_892_
lsass.exeM_736_
services.exeM_724_
winlogon.exeM_680_
csrss.exeM_656_
smss.exeM_424_
ShimCacheMutex
uxJLpe1m
%original file name%.exeM_1512_
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_

File activity

The process %original file name%.exe:716 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winasteok.exe (741 bytes)
C:\xlkgcc.exe (103 bytes)
C:\autorun.inf (335 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winasteok.exe (0 bytes)

The process %original file name%.exe:1512 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\lua51.dll (3578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\nsis7z.dll (2039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\shared_library.dll (1485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\loading_screen.dll (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\extramod.dll (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\nsisunz.dll (40 bytes)

Registry activity

The process %original file name%.exe:716 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_116" = "831618036"
"a4_157" = "1125551997"
"a3_149" = "1051199068"
"a4_156" = "1118382876"
"a3_148" = "1044210237"
"a2_180" = "1290437227"
"a4_159" = "1139890239"
"a2_182" = "1304773289"
"a2_183" = "1311956826"
"a2_184" = "1319123775"
"a2_185" = "1326292408"
"a2_186" = "1333459728"
"a4_158" = "1132721118"
"a2_188" = "1347785995"
"a2_189" = "1354956926"
"a3_263" = "1902212494"
"a3_223" = "1581849174"
"a1_185" = "3594249814"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a1_184" = "826773243"
"a2_232" = "1663232452"
"a2_255" = "1828120514"
"a1_183" = "3436965252"
"a1_182" = "3750646165"
"a3_193" = "1400620808"
"a1_181" = "444652748"
"a1_180" = "674544493"
"a4_298" = "2136398058"
"a3_78" = "542637991"
"a3_79" = "549622726"
"a4_206" = "1476838926"
"a3_72" = "533156193"
"a3_73" = "506656128"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a4_181" = "1297610901"
"a4_218" = "1562868378"
"a4_219" = "1570037499"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a4_214" = "1534191894"
"a4_215" = "1541361015"
"a4_212" = "1519853652"
"a4_213" = "1527022773"
"a4_210" = "1505515410"
"a4_211" = "1512684531"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a2_59" = "422984450"
"a2_58" = "415802968"
"a2_53" = "379972038"
"a2_52" = "372799793"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a2_57" = "408634468"
"a2_56" = "401466235"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a3_290" = "2062081995"
"a2_187" = "1340623924"
"a4_251" = "1799449371"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"

[HKCU\Software\Aas\695404737]
"50183847" = "06A8BB1AD2BF41C19C957B4CFBEDFF1EF2E3DBE4DA4CD047EAD75E66990059CCABC859A6F25DCE12C46ACFD1231BE43A44AD47CB2CB3B9B6631773B6B0B554211CAC18062A3268B25D9944460116DE02E91BDD350C12D825D2A50CC8D8C43714ED90C6C665B92D768DAC66752F17E51E8C3DDE8BAFA8C6BE3B1DD99913135E28"

[HKCU\Software\Aas]
"a4_59" = "422978139"
"a4_58" = "415809018"
"a1_248" = "3613613238"
"a3_249" = "1801832560"
"a1_178" = "359370572"
"a1_179" = "3571262085"
"a1_176" = "1804677856"
"a3_135" = "950830350"
"a1_174" = "1215382954"
"a1_175" = "2386967442"
"a1_172" = "4290965648"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a1_170" = "2184583479"
"a1_171" = "607069330"
"a4_296" = "2122059816"
"a2_236" = "1691916186"
"a2_237" = "1699084810"
"a2_234" = "1677581729"
"a2_235" = "1684747092"

"a2_233" = "1670413532"
"a2_230" = "1648898347"
"a2_231" = "1656064411"
"a3_287" = "2074141334"
"a4_209" = "1498346289"
"a2_238" = "1706249014"
"a2_239" = "1713412824"
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_209" = "1481480472"
"a3_98" = "685967115"
"a3_99" = "726580138"
"a4_295" = "2114890695"
"a3_282" = "2038692083"
"a3_271" = "1926113414"
"a2_181" = "1297605554"
"a3_254" = "1837822487"
"a1_138" = "262026771"
"a1_139" = "3177427701"
"a3_293" = "2083555628"
"a3_270" = "1918678119"
"a1_159" = "4083213820"
"a1_266" = "793064871"
"a1_267" = "3102854550"
"a1_264" = "3778598213"
"a1_265" = "50174773"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_263" = "265058250"
"a1_260" = "2026958904"
"a1_261" = "481241016"
"a3_280" = "1990631473"
"a1_130" = "2126950191"
"a1_268" = "1666662101"
"a1_269" = "1773755316"
"a2_157" = "1125556410"
"a2_156" = "1118385456"
"a2_155" = "1111218358"
"a1_131" = "1693252214"
"a2_153" = "1096868252"
"a2_152" = "1089701247"
"a2_99" = "709742340"
"a2_98" = "702576277"
"a2_97" = "695413740"
"a2_96" = "688241421"
"a2_95" = "681058818"
"a2_94" = "673891358"
"a2_93" = "666726084"
"a2_92" = "659556418"
"a2_91" = "652381760"
"a2_90" = "645224189"
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a1_58" = "3665371554"
"a1_59" = "3383193877"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a1_53" = "1560123974"
"a1_50" = "4267342224"
"a1_51" = "2008350609"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_136" = "991836577"
"a3_219" = "1553446098"
"a3_218" = "1545867443"
"a1_155" = "1495585536"
"a4_208" = "1491177168"
"a1_217" = "27098726"
"a3_275" = "1954659866"
"a3_269" = "1945179076"
"a4_266" = "1906986186"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a1_132" = "3681524841"
"a1_133" = "2096452664"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a1_136" = "3410250205"
"a2_119" = "853128188"
"a1_134" = "632268447"
"a1_135" = "817929245"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a4_280" = "2007353880"
"a2_118" = "845962847"
"a3_274" = "1947600379"
"a1_189" = "2130963411"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
"a3_109" = "798021476"
"a3_108" = "790966981"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a4_259" = "1856802339"
"a3_245" = "1773304572"
"a1_160" = "1371279971"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a3_284" = "2019045813"
"a2_113" = "810111928"
"a1_250" = "3244944736"
"a2_112" = "802932983"
"a4_264" = "1892647944"
"a1_165" = "2327434187"
"a3_262" = "1861734767"

"a3_70" = "485103791"
"a1_164" = "3744214392"
"a3_297" = "2146049696"
"a2_110" = "788610148"
"a2_117" = "838794346"
"a4_258" = "1849633218"
"a3_285" = "2026624468"
"a2_116" = "831612111"
"a1_169" = "2037227722"
"a2_115" = "824443057"
"a4_263" = "1885478823"
"a1_168" = "4180837862"
"a2_114" = "817276585"
"a2_179" = "1283275188"
"a3_279" = "1983582110"
"a4_252" = "1806618492"
"a3_232" = "1646370241"
"a4_262" = "1878309702"
"a4_253" = "1813787613"
"a4_250" = "1792280250"
"a2_215" = "1541364564"
"a1_222" = "3284626768"
"a2_144" = "1032350863"
"a1_104" = "2211553854"
"a1_221" = "3867268576"
"a1_226" = "140860444"
"a1_227" = "1242290815"
"a1_224" = "3973884712"
"a2_145" = "1039519218"
"a4_256" = "1835294976"
"a1_228" = "154068522"
"a2_217" = "1555696464"
"a3_278" = "2009623423"
"a2_146" = "1046684736"
"a4_257" = "1842464097"
"a4_261" = "1871140581"
"a2_147" = "1053867486"
"a4_254" = "1820956734"
"a2_140" = "1003668759"
"a2_253" = "1813786617"
"a2_141" = "1010851811"
"a2_272" = "1950005683"
"a2_273" = "1957172615"
"a2_270" = "1935655467"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_276" = "1978672592"
"a2_142" = "1018016104"
"a2_274" = "1964340469"
"a2_275" = "1971505218"
"a2_278" = "1993024135"
"a2_143" = "1025182016"
"a4_260" = "1863971460"
"a4_297" = "2129228937"
"a2_298" = "2136395577"
"a3_259" = "1873798154"
"a1_246" = "3232512105"
"a3_258" = "1866220523"
"a2_290" = "2079035432"
"a2_291" = "2086207717"
"a2_292" = "2093375459"
"a1_240" = "755317378"
"a2_294" = "2107726256"
"a3_150" = "1092336383"
"a2_296" = "2122058319"
"a2_297" = "2129221520"
"a2_193" = "1383641308"
"a2_192" = "1376474119"
"a2_191" = "1369308376"
"a3_151" = "1099259678"
"a3_133" = "970345548"
"a2_196" = "1405141334"

[HKCU\Software\Aas\695404737]
"35845605" = "397"

[HKCU\Software\Aas]
"a2_194" = "1390817383"
"a2_199" = "1426660191"
"a2_198" = "1419493182"
"a3_116" = "814879197"
"a3_288" = "2048100105"
"a3_117" = "821922428"
"a1_241" = "1093463944"
"a3_114" = "834001179"
"a4_182" = "1304780022"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_180" = "1290441780"
"a3_115" = "807894458"
"a1_89" = "1586180983"
"a1_88" = "803751692"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a1_85" = "3909588577"
"a1_84" = "1311025949"
"a1_87" = "1816827822"
"a1_86" = "1403657822"
"a1_81" = "1387330828"
"a1_80" = "3564317705"
"a1_83" = "1132120614"
"a1_82" = "1931154089"
"a3_159" = "1123168790"
"a3_110" = "771902343"
"a2_128" = "917646179"
"a2_129" = "924813704"
"a2_126" = "903315013"
"a2_127" = "910482040"
"a2_124" = "888978979"
"a3_111" = "778955814"
"a2_122" = "874631107"
"a2_123" = "881793651"
"a2_120" = "860296020"
"a2_121" = "867460864"
"a1_67" = "3223544122"
"a1_66" = "3611810380"
"a1_65" = "2815399669"
"a1_64" = "3666968892"
"a1_63" = "2098580106"
"a1_62" = "3507496498"
"a1_61" = "332242240"
"a1_60" = "3182891493"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_164" = "1175735844"
"a4_165" = "1182904965"
"a1_69" = "283849579"
"a1_68" = "1609745042"
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"
"a1_15" = "247433699"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a2_48" = "344126011"
"a2_49" = "351278618"
"a4_140" = "1003676940"
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"
"a2_44" = "315449677"
"a2_45" = "322613994"
"a2_46" = "329785115"
"a2_47" = "336951251"
"a1_244" = "1930848537"
"a3_203" = "1472066242"
"a4_148" = "1061029908"
"a4_146" = "1046691666"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a4_198" = "1419485958"
"a4_278" = "1993015638"
"a4_137" = "982169577"
"a4_255" = "1828125855"
"a4_136" = "975000456"
"a3_205" = "1452936068"
"a4_147" = "1053860787"
"a3_244" = "1765852765"
"a1_161" = "992511352"
"a3_140" = "986812197"
"a1_163" = "71829920"
"a1_162" = "1779274073"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a1_167" = "1020868498"
"a1_166" = "2095080895"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a3_241" = "1744311672"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a2_175" = "1254589458"
"a2_174" = "1247421669"
"a1_103" = "444958039"
"a2_178" = "1276108325"
"a2_177" = "1268940390"
"a4_292" = "2093383332"
"a4_244" = "1749265524"
"a4_268" = "1921324428"
"a2_176" = "1261772302"
"a1_196" = "1247873550"
"a4_145" = "1039522545"
"a2_171" = "1225927978"
"a3_251" = "1782710578"
"a2_170" = "1218753913"
"a2_283" = "2028857820"
"a3_289" = "2055027624"
"a4_139" = "996507819"
"a1_102" = "1322041885"
"a4_138" = "989338698"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a1_279" = "474477038"
"a1_278" = "3193507843"
"a2_209" = "1498343068"
"a4_131" = "939154851"
"a1_270" = "1654893587"
"a1_273" = "2548576460"
"a1_272" = "494520747"
"a1_275" = "3849870442"
"a1_274" = "3622541454"
"a3_261" = "1854160076"
"a1_276" = "2952713506"
"a3_228" = "1617824845"
"a1_101" = "2819443449"
"a1_249" = "2178098149"
"a1_237" = "1864736660"
"a4_149" = "1068199029"
"a3_141" = "1027810116"
"a3_247" = "1753789374"
"a2_221" = "1584378282"
"a2_220" = "1577211133"
"a2_223" = "1598711876"
"a2_222" = "1591548121"
"a2_225" = "1613046355"
"a2_224" = "1605880248"
"a2_227" = "1627398089"
"a2_226" = "1620215426"
"a1_229" = "253926568"
"a3_229" = "1624875244"
"a2_207" = "1483999789"
"a3_181" = "1280611004"
"a4_267" = "1914155307"
"a2_88" = "630888401"
"a2_89" = "638057599"
"a3_180" = "1307180573"
"a2_84" = "602206565"
"a2_85" = "609372177"
"a2_86" = "616539373"
"a2_87" = "623721910"
"a2_80" = "573523851"
"a3_34" = "260325067"
"a2_82" = "587874101"
"a2_83" = "595039398"
"a4_124" = "888971004"
"a4_125" = "896140125"
"a1_29" = "2974281407"
"a1_28" = "3228685785"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a1_23" = "1393522403"
"a1_22" = "767601794"
"a1_21" = "3088289700"
"a1_20" = "1050578346"
"a1_27" = "889908127"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a1_24" = "2020335726"
"a4_141" = "1010846061"
"a1_285" = "2524762016"
"a1_286" = "582086917"
"a1_287" = "1974893675"
"a1_280" = "4051501990"
"a3_187" = "1324038386"
"a1_282" = "4201119768"
"a1_283" = "373603973"
"a3_186" = "1316586579"
"a1_288" = "3433708153"
"a1_289" = "2949852375"
"a3_189" = "1371566516"
"a4_269" = "1928493549"
"a2_268" = "1921322667"
"a3_227" = "1610836010"
"a3_291" = "2103079018"
"a3_50" = "341766363"
"a3_51" = "348755322"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
"a1_127" = "826778688"
"a1_126" = "257202663"
"a1_121" = "983010832"
"a1_120" = "3699315254"
"a1_123" = "3193270353"
"a1_122" = "1034703985"
"a4_238" = "1706250798"
"a4_239" = "1713419919"
"a3_267" = "1930746626"
"a1_277" = "1007037611"
"a2_111" = "795775190"
"a4_230" = "1648897830"
"a4_231" = "1656066951"
"a4_232" = "1663236072"
"a4_233" = "1670405193"
"a4_234" = "1677574314"
"a4_235" = "1684743435"
"a4_236" = "1691912556"
"a4_237" = "1699081677"
"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a3_174" = "1264145351"
"a3_175" = "1271198822"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a3_226" = "1636956043"
"a1_223" = "3859520039"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a2_264" = "1892651589"
"a3_266" = "1890133731"
"a1_137" = "2419547187"
"a2_265" = "1899819196"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_183" = "1311949143"
"a1_225" = "2787314717"
"a4_197" = "1412316837"
"a4_88" = "630882648"
"a4_89" = "638051769"
"a1_158" = "1843825035"
"a2_100" = "716903321"
"a4_196" = "1405147716"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a1_150" = "1607416066"
"a1_151" = "3179680616"

[HKCU\Software\Aas\695404737]
"7169121" = "124"

[HKCU\Software\Aas]
"a1_153" = "548893316"
"a1_154" = "2159520996"
"a2_102" = "731242157"
"a1_156" = "1985578463"
"a1_157" = "3359480390"
"a1_235" = "939181873"
"a2_229" = "1641731088"
"a1_188" = "647973971"
"a2_103" = "738425008"
"a1_231" = "2225263454"
"a1_230" = "3402199707"
"a1_233" = "1932399933"
"a2_228" = "1634564709"
"a2_104" = "745593561"
"a4_201" = "1440993321"
"a1_247" = "2307822889"
"a1_239" = "2953552820"
"a1_238" = "1066212186"
"a2_105" = "752750083"
"a2_210" = "1505512761"
"a2_211" = "1512678900"
"a2_212" = "1519860719"
"a2_213" = "1527028356"
"a2_214" = "1534194303"
"a2_106" = "759924573"
"a2_216" = "1548528580"
"a1_177" = "792532830"
"a2_218" = "1562862938"
"a2_219" = "1570044721"
"a3_253" = "1830771188"
"a2_107" = "767094226"
"a1_187" = "660744334"
"a3_221" = "1600966036"
"a2_267" = "1914147202"
"a2_266" = "1906989801"
"a2_261" = "1871137615"
"a2_260" = "1863964322"
"a2_263" = "1885471404"
"a2_262" = "1878303149"
"a1_96" = "2898512924"
"a2_269" = "1928488662"
"a3_185" = "1309597744"
"a4_275" = "1971508275"
"a1_173" = "4202804954"
"a2_244" = "1749269045"
"a1_232" = "1449218731"
"a3_183" = "1328655230"
"a1_186" = "3570620965"
"a3_222" = "1608410679"
"a4_272" = "1950000912"
"a2_131" = "939148892"
"a2_289" = "2071874398"
"a2_288" = "2064708749"
"a2_130" = "931983020"
"a4_179" = "1283272659"
"a2_282" = "2021700087"
"a2_281" = "2014525281"
"a2_280" = "2007362169"
"a2_287" = "2057545815"
"a2_133" = "953497833"
"a2_285" = "2043192569"
"a2_284" = "2036024833"
"a2_132" = "946331253"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a2_135" = "967832323"
"a3_182" = "1288058591"
"a4_273" = "1957170033"
"a2_134" = "960664109"
"a1_107" = "3230798553"
"a1_294" = "495494821"
"a2_137" = "982163752"
"a4_178" = "1276103538"
"a1_106" = "3280004727"
"a4_227" = "1627390467"
"a2_136" = "974999533"
"a1_105" = "1766187217"
"a4_265" = "1899817065"
"a4_195" = "1397978595"
"a4_194" = "1390809474"
"a1_98" = "2645168756"
"a1_99" = "317835327"
"a4_191" = "1369302111"
"a4_190" = "1362132990"
"a4_193" = "1383640353"
"a4_192" = "1376471232"
"a1_92" = "479923809"
"a1_93" = "2617805663"
"a1_90" = "91595604"
"a1_91" = "2057942215"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_97" = "2728917768"
"a1_94" = "4239588295"
"a1_95" = "1819763499"
"a2_75" = "537689948"
"a2_74" = "530522317"
"a2_77" = "552013931"
"a2_76" = "544854311"
"a2_71" = "509015248"
"a2_70" = "501835868"
"a2_73" = "523339378"
"a2_72" = "516171623"
"a2_139" = "996516730"
"a2_138" = "989332905"
"a1_100" = "1709071803"
"a2_79" = "566353306"
"a2_78" = "559186802"
"a1_74" = "826027859"
"a1_75" = "1345752357"
"a1_76" = "672156095"
"a1_77" = "4190342251"
"a1_70" = "3035074501"
"a1_71" = "528275036"
"a1_72" = "3427455530"
"a1_73" = "2262222866"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "3120882369"
"a1_79" = "1365400886"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a4_291" = "2086214211"
"a3_123" = "898388146"
"a3_239" = "1730403494"
"a3_122" = "891468819"
"a3_237" = "1682343908"
"a3_236" = "1708909381"
"a3_235" = "1701334818"
"a3_234" = "1660856963"
"a3_233" = "1653814880"
"a3_121" = "850861040"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a3_252" = "1789764949"
"a4_288" = "2064706848"
"a3_120" = "843343697"
"a1_109" = "4246980379"
"a2_173" = "1240255714"
"a3_127" = "927442486"
"a4_283" = "2028861243"
"a1_108" = "95649362"
"a4_285" = "2043199485"
"a4_284" = "2036030364"
"a4_287" = "2057537727"
"a3_126" = "886312343"
"a1_0" = "3299283285"
"a2_279" = "2000176374"
"a4_276" = "1978677396"
"a3_125" = "879323508"
"a3_198" = "1436076335"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a3_194" = "1407548331"
"a3_124" = "905966805"
"a3_192" = "1393042153"
"a1_2" = "3712339979"
"a3_190" = "1345525207"
"a3_191" = "1352568438"
"a1_242" = "3221864939"
"a1_3" = "2620474486"
"a2_172" = "1233085302"
"a3_283" = "2045680914"
"a1_4" = "83174613"
"a4_171" = "1225919691"
"a1_5" = "616562248"
"a4_170" = "1218750570"
"a1_6" = "454656014"
"a4_177" = "1268934417"
"a1_7" = "2401786110"
"a4_176" = "1261765296"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a1_116" = "1707665197"
"a1_117" = "62633481"
"a1_110" = "51788306"
"a1_111" = "1093749887"
"a1_112" = "3546121677"
"a1_9" = "2948510009"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_81" = "580705329"
"a4_279" = "2000184759"
"a4_203" = "1455331563"
"a3_273" = "1974165848"
"a3_272" = "1966722361"
"a3_238" = "1689270279"
"a4_126" = "903309246"
"a1_190" = "2131824957"
"a4_127" = "910478367"
"a3_277" = "2002712284"
"a3_276" = "1962103485"
"a1_208" = "2980724756"
"a1_209" = "4255338127"
"a3_255" = "1844811446"
"a1_204" = "3662124057"
"a1_205" = "2365133812"
"a1_206" = "1109703758"
"a1_207" = "3265381307"
"a1_200" = "4005370983"
"a1_201" = "4222001776"
"a1_202" = "3485218782"
"a1_203" = "1953740722"
"a2_162" = "1161401255"
"a3_286" = "2067091063"
"a3_112" = "785940569"
"a2_163" = "1168558830"
"a4_277" = "1985846517"
"a2_160" = "1147051555"
"a4_289" = "2071875969"
"a2_161" = "1154220752"
"a2_258" = "1849634845"
"a2_259" = "1856802957"
"a1_243" = "2295046218"
"a2_254" = "1820951680"
"a4_128" = "917647488"
"a2_256" = "1835300673"
"a2_257" = "1842467574"
"a2_250" = "1792282747"
"a2_251" = "1799441168"
"a2_252" = "1806592737"
"a4_129" = "924816609"
"a4_290" = "2079045090"
"a3_113" = "826942712"
"a2_164" = "1175736875"
"a2_165" = "1182901708"
"a1_284" = "1065187269"
"a2_293" = "2100545231"
"a2_101" = "724077854"
"a2_295" = "2114891818"
"a1_38" = "213872447"
"a1_39" = "3964775043"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_130" = "931985730"
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a1_297" = "268306996"
"a1_296" = "3081225195"
"a1_295" = "1228629625"
"a4_282" = "2021692122"
"a1_293" = "3932817244"
"a1_292" = "108152601"
"a1_291" = "2838970138"
"a1_290" = "534812079"
"a1_298" = "4191090867"
"a2_190" = "1362127713"
"a3_158" = "1115724279"
"a2_197" = "1412311272"
"a4_286" = "2050368606"
"a2_168" = "1204419755"
"a1_251" = "2437167570"
"a2_108" = "774262729"
"a2_109" = "781429634"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a4_229" = "1641728709"
"a4_228" = "1634559588"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a2_169" = "1211586988"
"a4_226" = "1620221346"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a1_1" = "3386940473"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_163" = "1151697898"
"a3_162" = "1144713035"
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a4_270" = "1935662670"
"a3_298" = "2119545539"
"a2_28" = "200730413"
"a2_29" = "207899426"
"a2_26" = "186388573"
"a2_27" = "193573873"
"a2_24" = "172061634"
"a2_25" = "179228956"
"a2_22" = "157728729"
"a2_23" = "164896728"
"a2_20" = "143379083"
"a2_21" = "150544185"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a3_195" = "1380982730"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a1_271" = "1947436775"
"a1_220" = "3385766037"
"a3_246" = "1746738975"
"a3_256" = "1818692393"
"a1_198" = "736460622"
"a3_250" = "1809280147"
"a4_200" = "1433824200"
"a2_7" = "50176954"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a1_236" = "1874456889"
"a2_9" = "64528830"

"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a1_143" = "466382169"
"a1_142" = "1925498775"
"a1_141" = "3696359475"
"a1_140" = "2537411029"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a1_145" = "1258044847"
"a1_144" = "929369797"
"a3_52" = "389745053"
"a3_295" = "2131608046"
"a2_203" = "1455329146"
"a2_202" = "1448159917"
"a2_201" = "1440992090"
"a2_200" = "1433825508"
"a4_202" = "1448162442"
"a2_206" = "1476846532"
"a2_205" = "1469674079"
"a2_204" = "1462493261"
"a1_129" = "2785209228"
"a1_192" = "2813932438"
"a2_8" = "57360172"
"a3_292" = "2110067853"
"a1_128" = "3648551230"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a3_80" = "590099577"
"a2_154" = "1104051136"
"a1_218" = "2704188908"
"a3_294" = "2091003215"
"a1_149" = "4211163692"
"a3_89" = "654610320"
"a3_88" = "614067057"
"a1_125" = "2005880547"
"a4_205" = "1469669805"
"a1_148" = "3095623490"
"a1_124" = "2194599603"
"a4_186" = "1333456506"
"a4_168" = "1204412328"
"a4_187" = "1340625627"
"a3_268" = "1938194341"
"a1_234" = "648264702"
"a4_271" = "1942831791"
"a3_199" = "1409969486"
"a1_281" = "2221510969"
"a4_274" = "1964339154"
"a3_242" = "1718323611"
"a1_194" = "1339167033"
"a1_212" = "2396300066"
"a4_204" = "1462500684"
"a1_245" = "3019955342"
"a4_245" = "1756434645"
"a4_294" = "2107721574"
"a4_169" = "1211581449"
"a4_188" = "1347794748"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A A2 68 6E D8 CA 54 72 50 79 3C 58 FA DF AC EB"

[HKCU\Software\Aas]
"a4_189" = "1354963869"
"a2_125" = "896147817"
"a3_296" = "2139060737"
"a1_147" = "2942956766"
"a3_243" = "1725243962"
"a1_195" = "118090347"
"a3_257" = "1825746760"
"a4_207" = "1484008047"
"a1_146" = "3410060697"
"a3_220" = "1593911669"
"a1_252" = "1640079666"
"a1_8" = "310532945"
"a4_199" = "1426655079"
"a1_257" = "2838101978"
"a1_256" = "2742109519"
"a1_255" = "9689377"
"a1_254" = "4221489504"
"a1_259" = "3968162207"
"a1_258" = "1626282000"
"a4_281" = "2014523001"
"a2_62" = "444493003"
"a2_63" = "451653186"
"a2_60" = "430153701"
"a2_61" = "437320717"
"a2_66" = "473168804"
"a2_67" = "480337451"
"a2_64" = "458821396"
"a2_65" = "465987022"
"a3_240" = "1737322713"
"a2_68" = "487503795"
"a2_69" = "494671922"
"a2_148" = "1061032595"
"a2_149" = "1068202552"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a1_42" = "608335292"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a1_48" = "262978150"
"a4_144" = "1032353424"

[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F3137332E3139332E31392E31342F6C6F676F2E676966"

[HKCU\Software\Aas]
"a4_142" = "1018015182"
"a4_143" = "1025184303"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a3_202" = "1465015971"
"a1_114" = "2372408656"
"a3_200" = "1416954337"
"a3_201" = "1424013824"
"a3_206" = "1493543975"
"a3_207" = "1500987462"
"a3_204" = "1445500773"
"a1_115" = "1433143777"
"a1_197" = "3384758008"
"a2_166" = "1190069132"
"a3_208" = "1508041977"
"a2_195" = "1397976420"
"a1_199" = "2671395383"
"a4_246" = "1763603766"
"a4_293" = "2100552453"
"a1_262" = "3369308703"
"a3_36" = "241268621"
"a3_37" = "248309804"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_35" = "267899754"
"a3_32" = "212854281"
"a3_33" = "253401768"
"a3_30" = "231909751"
"a3_31" = "205278614"
"a2_167" = "1197235853"
"a3_188" = "1364647189"
"a1_113" = "4024075904"
"a4_241" = "1727758161"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a4_249" = "1785111129"
"a3_184" = "1336102801"
"a2_277" = "1985839394"
"a4_248" = "1777942008"

"a3_130" = "915379051"
"a1_191" = "1167890182"
"a3_131" = "922302346"
"a1_118" = "713380749"

"a3_132" = "962897965"
"a1_119" = "1474186411"
"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_134" = "943841519"
"a4_247" = "1770772887"
"a2_19" = "136209430"
"a2_18" = "129046589"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_137" = "998890944"
"a4_240" = "1720589040"
"a4_160" = "1147059360"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a4_243" = "1742096403"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_193" = "333417848"
"a2_208" = "1491179740"
"a2_151" = "1082529042"
"a4_242" = "1734927282"
"a2_150" = "1075367212"
"a3_281" = "2031109200"
"a2_271" = "1942839550"
"a4_166" = "1190074086"
"a2_286" = "2050373776"
"a4_167" = "1197243207"
"a3_145" = "1022800088"
"a1_219" = "46245038"
"a3_144" = "1015749817"
"a4_161" = "1154228481"
"a1_216" = "1741330581"
"a1_215" = "3996332577"
"a1_214" = "1809422411"
"a1_213" = "3855608840"
"a3_147" = "1070844314"
"a1_211" = "3443060169"
"a1_210" = "2541116352"
"a3_146" = "1063277947"
"a2_159" = "1139884864"
"a4_119" = "853125399"
"a2_158" = "1132717433"
"a1_253" = "3891439492"
"a4_118" = "845956278"
"a3_260" = "1847236781"
"a3_143" = "1008236550"
"a2_249" = "1785116152"
"a2_248" = "1777936222"
"a2_247" = "1770781370"
"a2_246" = "1763599249"
"a2_245" = "1756442847"
"a3_142" = "1034864615"
"a2_243" = "1742098472"
"a2_242" = "1734931813"
"a2_241" = "1727751411"
"a2_240" = "1720598330"
"a3_224" = "1588903625"
"a1_152" = "183643077"
"a3_225" = "1629901672"
"a3_248" = "1761236945"
"a3_264" = "1909255713"
"a4_117" = "838787157"
"a3_265" = "1883210304"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

A firewall is disabled:

"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The process %original file name%.exe:368 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 F8 F4 86 3B 1B E2 FA 92 2A 1E D2 71 9E 38 23"

The process %original file name%.exe:1512 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 69 E3 0D 9B 66 AD B2 50 51 6E 2B D0 57 D6 5C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
4c2889a09d8b61030d22efac5c1df05b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\extramod.dll
44dac7f87bdf94d553f8d2cf073d605d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\loading_screen.dll
fed9c500c5afebba464efb1f9b29c03f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\lua51.dll
692479f7c07a64a6a632148e382f0e22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\nsisunz.dll
37a74488fef5134c6d516b85dc8a50e8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\shared_library.dll
e497801c6da7c20d01afdf7b4d629253 c:\xlkgcc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Tomorrow Software
Product Name: Tomorrow Software Installer
Product Version: 2.0.0.1
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: tomorrow-setup.exe
Internal Name: tomorrow-setup.exe
File Version: 2.0.0.1
File Description: Tomorrow Software Installer
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 52267 52736 4.48304 e3f0c37762325fb78cefc642ba08628c
.rdata 57344 10284 10752 3.95558 c3306f447e7a0d7665ecee1e2bffc5f0
.data 69632 15676 12288 4.6783 70a100b49fc6b0bc09f519b37f6d6c19
.bindat 86016 585915 586240 5.54408 39d85c968160ae9a37a25899a1b7419f
.script 675840 213660 214016 5.54341 4b9962da34a85d88c4337744d68dcfa3
.rsrc 892928 90112 89088 5.42091 5c5630f07fe626935e4235a32c144a17

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://service.downloadadmin.com/install?bc=1187055&pid=sharpened&brand=sharpened.com&s=cnet&country=US&osName=Windows&osVersion=8.1&browserName=Firefox&browserVersion=38&secure=true&checksum=0 50.22.63.138


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?bc=1187055&pid=sharpened&brand=sharpened.com&s=cnet&country=US&osName=Windows&osVersion=8.1&browserName=Firefox&browserVersion=38&secure=true&checksum=0 HTTP/1.1
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1187055&pid=sharpened&brand=sharpened.com&s=cnet&country=US&osName=Windows&osVersion=8.1&browserName=Firefox&browserVersion=38&secure=true&checksum=0
X-Exe-Checksum: 0
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1187055&pid=sharpened&brand=sharpened.com&s=cnet&country=US&osName=Windows&osVersion=8.1&browserName=Firefox&browserVersion=38&secure=true
X-Exename: %original file name%.exe
User-Agent: Installer(ref=[d0dc811765a4027bfcfca1c3a6bf27af7eebf634];windows=5.1;uac=false;ie=6.0.2900.5512;elevated=true;dotnet=nil;startTime=835061;pid=1512)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: hXXps://service.downloadadmin.com/install?bc=1187055&pid=sharpened&brand=sharpened.com&s=cnet&country=US&osName=Windows&osVersion=8.1&browserName=Firefox&browserVersion=38&secure=true&checksum=0
Connection: close







The Worm connects to the servers at the folowing location(s):







%original file name%.exe_716:




.text
.rdata
.data
.bindat
@.script
@.rsrc
PSSSSSSh
%d.%d.%d
./shared_library.dll
./extramod.dll
./lua51.dll
advapi32.dll
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
miniz.InflateZStream
miniz.DeflateZStream
inflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
deflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
derive_key
default_key
KEYLEN
UPDATE_KEY
EXPORTABLE
DELETE_KEYSET
MACHINE_KEYSET
NEWKEYSET
BAD_KEYSET
NO_KEY
BAD_PUBLIC_KEY
bad argument #%d to %s('%s' expected)
%s<%p>
provider_derive_key
key_destroy
%s expected data in index [1]
%s expected 'length' with lightuserdata
%s expected table argument
key_encrypt
key_decrypt
key_duplicate
Win32.Crypt.Key
Win32.Crypt.Hash
Win32.Crypto.Provider
@MIME 1.0.3
debug.pdb
USER32.dll
GDI32.dll
KERNEL32.dll
comdlg32.dll
ole32.dll
SHFileOperationA
SHELL32.dll
msvcrt.dll
_acmdln
_amsg_exit
luabridge.classes
resources.compressed
luabridge.config
luabridge.net
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
win32.shell
mime.core
return require('cleanup').runCleanup()
dialog.image
resources.binlib
%d.%.%d
dialog.html
luabridge.win32
resources.nsis
luabridge.nsis
resources.js
luabridge.registry
luabridge.fs
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
lua51.dll
luabridge.dll
shared_library.dll
zcÁ
|[%s!
.xuUF
%xG=Q1
M'0%S
[email protected]
<.wD\M
2.xU9
Ln%Fqo
(aö>
d].Jt
 .Pla:
PJI%uS|
qX.Zmm&;
9^.zd>rb
f[2)|%F
E.tr[
l-Y}kOv
c~.Ibc_
_D-AfU%C&
VV.QV.UVF
/.iy$q
?&.htgC
n"4%xe
w.varQ
%u0Y(W
.Le4/b
0.Nf#X
mY%xg
iÌ<k
.Fw6NDG
Yqm%S
C.aRd{
^%dtR
'Y.Bk
H-JJ}
a.IYH
Md%c;
C;R.Jx
U`%fy
;%X_g=h
n@;h.Shs
JMsG
*$D%D
`hR.gO
_.heL
lG].WSa
.hYz5
l%fJ_
y%ha%4U
dP~,%fOh
2 .skf
.bk@7}k
28.pv
1<.wGS
"/W  #[ %U
.NqEc
{%Fve
.hf-a
$}ßDq
o4g%C
/.KQP
.cGH'
O.HoN
*.dWm
ny-.FF
(s.XI
C.TsU
.SfOB
8^X%f
.vO?D
/tX.NLe
6.DmM
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Tue Jun 16 19:40:47 2015
version="2.0.0.1"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
c:\%original file name%.exe
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
WS2_32.dll
RegCloseKey
.vX0-
tomorrow-setup.exe
2.0.0.1

%original file name%.exe_716_rwx_004DD000_00011000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
.text
c:\%original file name%.exe
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
.info/J
home.gifI888
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
.vX0-

%original file name%.exe_716_rwx_00AD0000_0108E000:




c:\windows
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
%System%\drivers\omrpi.sys
8318596623
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

%original file name%.exe_716_rwx_020A0000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

%original file name%.exe_716_rwx_021B0000_00001000:




|%original file name%.exeM_716_

Explorer.EXE_532_rwx_00FF0000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

%original file name%.exe_1512:




.text
.rdata
.data
.bindat
@.script
@.rsrc
PSSSSSSh
%d.%d.%d
./shared_library.dll
./extramod.dll
./lua51.dll
advapi32.dll
Error creating ShellLink(rc=%d)
CoCreateInstance failed(rc=%d)
All Files|*.*
miniz.InflateZStream
miniz.DeflateZStream
inflate() failed(rc=%d)
deflate() failed(rc=%d)
Unsupported filter input(string|nil) expected
deflateInit() failed (rc=%s)
inflateInit() failed (rc=%s)
derive_key
default_key
KEYLEN
UPDATE_KEY
EXPORTABLE
DELETE_KEYSET
MACHINE_KEYSET
NEWKEYSET
BAD_KEYSET
NO_KEY
BAD_PUBLIC_KEY
bad argument #%d to %s('%s' expected)
%s<%p>
provider_derive_key
key_destroy
%s expected data in index [1]
%s expected 'length' with lightuserdata
%s expected table argument
key_encrypt
key_decrypt
key_duplicate
Win32.Crypt.Key
Win32.Crypt.Hash
Win32.Crypto.Provider
@MIME 1.0.3
debug.pdb
USER32.dll
GDI32.dll
KERNEL32.dll
comdlg32.dll
ole32.dll
SHFileOperationA
SHELL32.dll
msvcrt.dll
_acmdln
_amsg_exit
luabridge.classes
resources.compressed
luabridge.config
luabridge.net
local rshift,lshift,band=bit.rshift,bit.lshift,bit.band
local tohex=bit.tohex;
local dict=ffi.new("char[?]",64)
function M.setSymbols(symbols)
ffi.copy(dict,symbols,64);
seg = seg .. string.char(dict[bits]);
seg = seg .. string.char(dict[bits]);
table.insert(buf,seg);
seg=string.char(dict[idx]);
seg=seg .. string.char(dict[bits]);
table.insert(buf,seg)
table.insert(buf,({"",string.rep(placeholder,2),placeholder})[(#data % 3) 1])
return table.concat(buf);
local block=ffi.new("char[?]",block_sz);
function M.unb64(data)
table.insert(buf,ffi.string(block,p));
local seg=ffi.string(block,p);
--print("Append ",oldp,eqs,seg,ffi.string(block,oldp));
table.insert(buf,seg);
return table.concat(buf)
M.setSymbols(DEF_DICT);
function M.defaultDict()
M.setSymbols(DEF_DICT);
M.unfilter = M.unb64
M.setSymbols(loadarg);
return M.unb64;
win32.shell
mime.core
return require('cleanup').runCleanup()
dialog.image
resources.binlib
%d.%.%d
dialog.html
luabridge.win32
resources.nsis
luabridge.nsis
resources.js
luabridge.registry
luabridge.fs
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
lua51.dll
luabridge.dll
shared_library.dll
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp/a1dZ9SphvcHGY0Rm1Ua
c:\%original file name%.exe
?456789:;<=
!"#$%&'()* ,-./0123
|[%s!
.xuUF
%xG=Q1
M'0%S
[email protected]
<.wD\M
2.xU9
Ln%Fqo
(aö>
d].Jt
 .Pla:
PJI%uS|
qX.Zmm&;
9^.zd>rb
f[2)|%F
E.tr[
l-Y}kOv
c~.Ibc_
_D-AfU%C&
VV.QV.UVF
/.iy$q
?&.htgC
n"4%xe
w.varQ
%u0Y(W
.Le4/b
0.Nf#X
mY%xg
iÌ<k
.Fw6NDG
Yqm%S
C.aRd{
^%dtR
'Y.Bk
H-JJ}
a.IYH
Md%c;
C;R.Jx
U`%fy
;%X_g=h
n@;h.Shs
JMsG
*$D%D
`hR.gO
_.heL
lG].WSa
.hYz5
l%fJ_
y%ha%4U
dP~,%fOh
2 .skf
.bk@7}k
28.pv
1<.wGS
"/W  #[ %U
.NqEc
{%Fve
.hf-a
$}ßDq
o4g%C
/.KQP
.cGH'
O.HoN
*.dWm
ny-.FF
(s.XI
C.TsU
.SfOB
8^X%f
.vO?D
/tX.NLe
6.DmM
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Tue Jun 16 19:40:47 2015
version="2.0.0.1"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
.info/J
home.gifI888
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
WS2_32.dll
RegCloseKey
.vX0-
tomorrow-setup.exe
2.0.0.1

%original file name%.exe_1512_rwx_004DD000_00011000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
%original file name%.exe
.rsrc
.text
c:\%original file name%.exe
hXXp://pelcpawel.fm.interia.pl/logos.gif
hXXp://chicostara.com/logof.gif
hXXp://suewyllie.com/images/logos.gif
hXXp://dewpoint-eg.com/images/logosa.gif
hXXp://VVV.ceylanogullari.com/logof.gif
hXXp://VVV.bluecubecreatives.com/logos.gif
hXXp://724hizmetgrup.com/images/logosa.gif
hXXp://yavuztuncil.ya.funpic.de/images/logos.gif
hXXp://cevatpasa.com/images/logos.gif
hXXp://173.193.19.14/logo.gif
.info/J
home.gifI888
KERNEL32.dll
h.rata
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA
.vX0-

%original file name%.exe_1512_rwx_01140000_00002000:




SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

%original file name%.exe_1512_rwx_01150000_00001000:




|%original file name%.exeM_1512_

Explorer.EXE_532_rwx_01E00000_00001000:




|explorer.exeM_532_






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:368
    

    2. 

  2. Delete the original Worm file.
    3. 

  3. Delete or disinfect the following files created/modified by the Worm:
    

    %WinDir%\system.ini (70 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winasteok.exe (741 bytes)
    C:\xlkgcc.exe (103 bytes)
    C:\autorun.inf (335 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\lua51.dll (3578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\nsis7z.dll (2039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\shared_library.dll (1485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\loading_screen.dll (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\extramod.dll (675 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a1dZ9SphvcHGY0Rm1Ua\nsisunz.dll (40 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now