Win32.Sality.OG_3c61cb16da

by malwarelabrobot on January 22nd, 2015 in Malware Descriptions.

Win32.Sality.OG (B) (Emsisoft), Win32.Sality.OG (AdAware), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, mzpefinder_pcap_file.YR, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3c61cb16daa1d0a2e19638ac66f4569c
SHA1: aa35b20145d9d10931b316f6caf75a00b29064e7
SHA256: 0ea2dd3c14466f9f9c2c8b80e82f98882703f40f70a0a821b140f64f1f0b8be4
SSDeep: 3072:w5BxYAVrgUCPnwCW4WuNwgmDzG8zgA9vBAGWdpEDiNt6McYPUoyjZW5SEvrGmZJi:w5BgUCRhNwgR8zgAklMiQvoyjZErGmTi
Size: 158760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-24 21:20:04
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

statisticsStub.:272
netsh.exe:320

The Worm injects its code into the following process(es):

%original file name%.exe:1572
Explorer.EXE:512

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process statisticsStub.:272 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\InetC.dll (24 bytes)
C:\END (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\usage[1].ashx (9 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\InetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\conduitStatistics.csf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB5.tmp (0 bytes)

The process %original file name%.exe:1572 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\system.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\statisticsstub[1].exe (6340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001DF1A6_Rar\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsB4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\InetC.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\statisticsStub.exe (6340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\conduitStatistics.csf (1475 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsB4.tmp (0 bytes)
C:\1df928 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\InetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB2.tmp (0 bytes)

Registry activity

The process statisticsStub.:272 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nseB6.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B D0 96 FE 4C 31 AA 13 DA C7 A3 0F 40 27 6A 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process netsh.exe:320 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 9E 04 EB 4D 48 10 14 E4 88 9F F8 C1 0F 98 B9"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process %original file name%.exe:1572 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\adm914]
"a1_2" = "725158170"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\adm914]
"a3_2" = "31040235"
"a1_3" = "1782450922"
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\adm914]
"a1_0" = "3432392762"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\adm914]
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_1" = "7169121"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nseB6.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\adm914\695404737]
"43014726" = "0400687474703A2F2F38392E3131392E36372E3135342F746573746F352F00687474703A2F2F6B756B7574727573746E65743737372E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743838382E696E666F2F686F6D652E67696600687474703A2F2F6B756B7574727573746E65743938372E696E666F2F686F6D652E67696600"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\adm914\695404737]
"14338242" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\adm914\695404737]
"7169121" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\adm914\695404737]
"35845605" = "143"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\adm914]
"a1_1" = "643681716"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\adm914\695404737]
"28676484" = "30"

[HKCU\Software\adm914]
"a3_0" = "17001001"
"a3_1" = "23989832"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\adm914]
"a3_3" = "4933386"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\adm914\695404737]
"50183847" = "7439D18CF99ADB97C70A1EA4EA1DDEB3A46AF9AF9995ACD22104A39789171EB3633818AD029260106FF7F47FE0DE6244028206B85FFFAD226E9742031F5914A424C8AAD11CCC09A683D5C288F7B6E1F47648BB6509895D8CEFEAA4FC96A6440B61FA7545CEB6A4B60F5D6273763CD021B75224603D4E837AD74FFC1C93A050D600"

[HKCU\Software\adm914]
"a2_1" = "7173761"
"a2_0" = "5517"
"a2_3" = "21509101"
"a2_2" = "14342466"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 20 01 D8 DF 52 5B 15 76 E5 ED 0A CD 9B A8 D6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\adm914\695404737]
"21507363" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
9954bdf0d57b7cd53c5434360ce4923f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\001DF1A6_Rar\%original file name%.exe
6a0f411ca91a97a709b98e114f4052d5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\statisticsStub.exe
6a0f411ca91a97a709b98e114f4052d5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\statisticsstub[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Conduit
Product Name:
Product Version:
Legal Copyright: Conduit Ltd.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.7.4.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 29324 29696 4.51998 1f4aa5e35db2d1893ac5a7044048d07d
.rdata 36864 11118 11264 3.11773 cca1ca3fbf99570f6de9b43ce767f368
.data 49152 469916 512 1.25109 77f0839f8ebea31040e462523e1c770e
.ndata 520192 2772992 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3293184 3008 3072 3.01394 c5a749bab698d47d47acff6534f569b7
.reloc 3297280 4054 4096 3.78201 b56452d6d4550b55f6f232e5f2ca8121
.brdata 3301376 69632 69632 5.53972 f45f37eb7c27439ebb4e73e407ab8e07

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6321.g.akamaiedge.net/ps/conduitinstaller/statisticsstub.exe
hxxp://usage.integration.toolbar.va.conduit-services.com/usage.ashx
hxxp://storage.conduit.com/ps/conduitinstaller/statisticsstub.exe 23.9.99.136
hxxp://usage.integration.toolbar.conduit-services.com/usage.ashx 199.101.114.117


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /ps/conduitinstaller/statisticsstub.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: storage.conduit.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 17 Dec 2012 13:49:50 GMT
ETag: "9ff9b7625ddccd1:0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=86400
Expires: Thu, 22 Jan 2015 10:43:26 GMT
Date: Wed, 21 Jan 2015 10:43:26 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
00006000..MZ......................@...................................
............!..L.!This program cannot be run in DOS mode....$.......A{
.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich.
..8........PE..L.....GO.................t...z...B...8............@....
......................`............@.................................@
[email protected]........`.....................................
..................................................text....r.......t...
............... ..`.rdata..n .......,...x..............@[email protected].... .
[email protected]...............................
rsrc........@......................@[email protected].................
[email protected].............................................................
......................................................................
......................................................................
......................................................................
.........................................................U....\.}..t .
}[email protected][email protected]
..E.P.u.....@..}[email protected]... M..........M........E..
.FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..
[email protected]}[email protected].}.j.W.E..
[email protected][email protected][email protected] [email protected]..
.u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..
i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[
<<< skipped >>>


POST /usage.ashx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: usage.integration.toolbar.conduit-services.com
Content-Length: 1101
Connection: Keep-Alive
Cache-Control: no-cache

{"installationType":"NSISBundle","installationVersion":"5.7.4.0","actionType":"postInstallReport","bundleGUID":"","parentProcess":"NULL","ctid":"","installtype":"","installid":"","cmdline":"","startpage":"","initStartpage":"","defaultsearch":"","initDefaultsearch":"","showwelcomepage":"","openwelcomedialog":"","fix404":"","searchfromaddress":"","openuninstallpage":"","defaultsearchdisplayname":"","defaultsearchurl":"","enablealerts":"","searchrevert":"","usermode":"","returnCode":"3","returnMessage":"Command Line Error: CTID Parameter Missing - Bad Usage","ieBrowserVersion":"","ieToolbarVersion":"","ieReturnCode":"","ieReturnMessage":"","ffBrowserVersion":"","ffToolbarVersion":"","ffReturnCode":"","ffReturnMessage":"","chBrowserVersion":"","chToolbarVersion":"","chReturnCode":"","chReturnMessage":"","singleInstall":"","iePreviouslyInstalled":"","ffPreviouslyInstalled":"","chPreviouslyInstalled":"","ieInstallVerified":"","ffInstallVerified":"","chInstallVerified":"","defaultBrowser":"","isUnicodeOSLanguage":"","installBlockerDetected":"","isFFActive":"","isCHActive":"","isIEActive":""}
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 21 Jan 2015 10:43:30 GMT
Content-Length: 9
ConduitOK..

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_1572:

.text
.rdata
.data
.ndata
.rsrc
@.reloc
B.brdata
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
Vv.Vf
`.rdata
@.data
.reloc
SSh4!
u.hl!
PeekNamedPipe
CreatePipe
nsExec.dll
MSVCRT.dll
HttpSendRequestW
HttpSendRequestExW
HttpQueryInfoW
FtpCreateDirectoryW
FtpOpenFileW
HttpAddRequestHeadersA
HttpOpenRequestW
HttpAddRequestHeadersW
HttpEndRequestW
InternetCrackUrlW
WININET.dll
inetc.dll
FtpCommandW
Filename: %s
qb.aL,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001DF1A6_Rar\%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
c:\%original file name%.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
Q*G.Cwtt$
\.lhh
/[email protected]
K.FX>Q
.LK'E
PhXXp://89.11;
.info/home.gifv*y
.text^
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
WS2_32.dll
SHFileOperationA
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
Wwininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
/password
Uploading %s
nsoB3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\*.*
RMDir: RemoveDirectory on Reboot("C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\")
emp\nsoB3.tmp\nsExec.dll"
-statistics=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\conduitStatistics.csf
\%original file name%.exe
:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\
ystem.dll
5.7.4.0

%original file name%.exe_1572_rwx_00727000_00010000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\001DF1A6_Rar\%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB3.tmp\nsExec.dll
.text
c:\%original file name%.exe
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
Q*G.Cwtt$
\.lhh
/[email protected]
K.FX>Q
.LK'E
PhXXp://89.11;
.info/home.gifv*y
.text^
.rdata
]6.dB
4.At%
toskrnl.exe
.klkjw:9fqwielu
sc.pBT
PAD.EXE
UrlA'G
\'Web%f
HTTP)e
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

Explorer.EXE_512_rwx_00F30000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text

%original file name%.exe_1572_rwx_00D20000_01033000:

c:\windows
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
%System%\drivers\nlgrmg.sys
196221860921
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text
h.rdata
H.data
.reloc
ntoskrnl.exe
Opera/8.81 (Windows NT 6.0; U; en)
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
NOTEPAD.EXE
WINMINE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
hXXp://klkjwre77638dfqwieuoi888.info/
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\abp470n5
WINDOWS
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
BackWeb Plug-in - 4476822
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
tcpsr
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
ASHWEBSV.
DRWEB32W.
DRWEBSCD.
DRWEBUPW.
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBPROXY.
WEBSCANX.
WEBTRAP.
sfc_os.dll
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetWindowsDirectoryA
GetProcessHeap
WinExec
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
.rdata
.data
.xdata
@.CRT
/KPCKwWEBWUP
.SEdAUD
MM.PFW.
?.cmd
>>?456789:;<=
!"#$%&'()* ,-./012
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll

%original file name%.exe_1572_rwx_02260000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.text

%original file name%.exe_1572_rwx_02370000_00001000:

|%original file name%.exeM_1572_

Explorer.EXE_512_rwx_00F40000_00001000:

|explorer.exeM_512_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    statisticsStub.:272
    netsh.exe:320

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp\InetC.dll (24 bytes)
    C:\END (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\usage[1].ashx (9 bytes)
    %WinDir%\system.ini (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\statisticsstub[1].exe (6340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\001DF1A6_Rar\%original file name%.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsB4.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\InetC.dll (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB3.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\statisticsStub.exe (6340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\conduitStatistics.csf (1475 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now