MD5: 9a823a7df914083f2895740194ce98a5
SHA1: 769fdf6c3cfdb19f72925e507d093e0f7c9068e5
SHA256: 5eea160e898bc0c0855ba151d5e61873a0f579a8359467566142a86127636088
SSDeep: 24576:og4l47j qTZePRf7RVZ6v4ml8aSugTLCk U2iAqS6cIIK37:UWXNSfdVIzpgfmDi5zuA7
Size: 1150536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-03-22 02:59:20
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

netsh.exe:1992
WINMINE.EXE:3612
WINMINE.EXE:3740
WINMINE.EXE:3852
WINMINE.EXE:3672
WINMINE.EXE:3720
WINMINE.EXE:3176
NOTEPAD.EXE:3452
NOTEPAD.EXE:3580
NOTEPAD.EXE:3384
NOTEPAD.EXE:3816
NOTEPAD.EXE:4064
NOTEPAD.EXE:3884
NOTEPAD.EXE:3516
NOTEPAD.EXE:3420
NOTEPAD.EXE:3548
NOTEPAD.EXE:3220
NOTEPAD.EXE:3484
NOTEPAD.EXE:4092
NOTEPAD.EXE:3144
NOTEPAD.EXE:3336
NOTEPAD.EXE:3760
NOTEPAD.EXE:3268
NOTEPAD.EXE:3644
NOTEPAD.EXE:3788
NOTEPAD.EXE:3300

The Worm injects its code into the following process(es):

%original file name%.exe:212
Explorer.EXE:932

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:212 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winljhgh.exe (601 bytes)
%WinDir%\system.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (11 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00112DB4_Rar\%original file name%.exe (7547 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\winljhgh.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
C:\113a85 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:212 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3432392762"

[HKCU\Software\Aas\695404737]
"35845605" = "476"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "83AD022F944CCF21DDECD41871254667172BA39F3E949513F4CC29B07060AC534912E5BCB155880C2C4326E6FB83E6FA099D4219F6885291D527824C5507229614A07CE2AF035D97263FF7F26AD2ACC9D5D4395D4B8B3109DC5C0C87B31A1505E6E94E08EF20E71B91B96D3856F531DADFD78A894AD6A6C177136C5657B01661"
"43014726" = "0C00687474703A2F2F7777772E6C656479617A696C696D2E636F6D2F6C6F676F2E67696600687474703A2F2F6B73616E64726166617368696F6E2E636F6D2F6C6F676F2E67696600687474703A2F2F7777772E6C6166796572692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B756C7070617375722E636F6D2F6C6F676F2E67696600687474703A2F2F746F616C6C616465706170656C2E636F6D2E61722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E65636F6C652D7361696E742D73696D6F6E2E6E65742F696E6465785F746F702F6C6F676F2E67696600687474703A2F2F6C617A617265612E726F2F696D616765732F6C6F676F2E67696600687474703A2F2F6B6F6F6E6164616E6365322E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6B75706C752E62656C2E74722F696D616765732F6C6F676F2E67696600687474703A2F2F7777772E6C69646572616E636173706F6C6974696361732E636F6D2E62722F6C6F676F2E67696600687474703A2F2F7777772E6C6567616C62696C676973617961722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C696665636F6D32342E636F2E63632F696D616765732F6C6F676F2E676966"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "144"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas\695404737]
"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 9A 7B F0 3E 85 34 0E E2 97 8D 5A AF D9 75 8C"

[HKCU\Software\Aas]
"a2_0" = "5517"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process netsh.exe:1992 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 6F 44 7C 27 87 6E 7D A9 58 7E 5B 25 F1 F1 29"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process WINMINE.EXE:3612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 1F 87 DD 13 94 6D 2F C2 C3 B7 AB 99 F1 88 66"

The process WINMINE.EXE:3740 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 3E 23 A4 A0 BE B9 36 DB D9 B2 76 D6 65 B5 D9"

The process WINMINE.EXE:3852 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 24 6D C5 B4 18 75 B6 94 6F B8 C8 35 0E 6F 1F"

The process WINMINE.EXE:3672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB CA E5 B0 FD AB 42 BE 72 F6 59 13 EC DC CB 39"

The process WINMINE.EXE:3720 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 25 DC 92 8D D3 94 88 61 49 75 B8 EA E8 AF 76"

The process WINMINE.EXE:3176 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B A5 A9 B5 CC 20 6A A9 3D 2B B0 BC 13 E7 32 40"

The process NOTEPAD.EXE:3452 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 82 C7 32 CD 7A EE 7B 11 D5 53 24 DE 36 9F 91"

The process NOTEPAD.EXE:3580 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 D8 0F F9 BB BC F2 A2 08 B3 04 4C D5 70 6C 5F"

The process NOTEPAD.EXE:3384 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 BD FB 82 4E 49 D8 A7 83 93 FA 88 B6 80 FB 9B"

The process NOTEPAD.EXE:3816 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E CD FF 7E 09 7D C8 B0 D0 2D 93 CB 79 42 6A 39"

The process NOTEPAD.EXE:4064 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA ED A5 DB 6E 45 7F 92 B1 36 DD 28 6C BB 2F 2F"

The process NOTEPAD.EXE:3884 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 D6 56 A4 AD F5 87 D1 42 6A 2B 2C F0 CC 9C FD"

The process NOTEPAD.EXE:3516 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 F6 36 D9 61 EB 13 D9 34 47 FD 90 B1 77 02 16"

The process NOTEPAD.EXE:3420 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 8C C6 4B 9B E0 79 F3 4A FF EA C6 74 40 1C D4"

The process NOTEPAD.EXE:3548 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 FB BA 36 3B 78 35 54 97 1C 03 56 EC FF F7 7B"

The process NOTEPAD.EXE:3220 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A D1 80 6B 3E 8A C1 0E 1B 89 76 08 2F 8C 5E 7A"

The process NOTEPAD.EXE:3484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 71 E7 4F 47 EE AE AE 8D CE 62 0D 77 BD 3A 7E"

The process NOTEPAD.EXE:4092 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 F2 6B 77 63 A4 FE 3F 6D 81 34 11 CB 77 48 E0"

The process NOTEPAD.EXE:3144 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 19 78 17 73 FB BC 33 FA 03 3F 38 D5 86 F7 AD"

The process NOTEPAD.EXE:3336 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 D1 12 97 7E D6 76 C5 A4 23 0F AA 23 0E 11 07"

The process NOTEPAD.EXE:3760 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 3E D4 E8 C0 54 0F 97 E4 A2 E9 88 3A E9 B3 F7"

The process NOTEPAD.EXE:3268 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 C3 1F 13 25 8E BF 84 C5 1E B7 29 90 5D 2C A7"

The process NOTEPAD.EXE:3644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 6D A3 C1 DA 66 B1 89 DD 01 F9 C5 C5 84 14 60"

The process NOTEPAD.EXE:3788 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 50 6D 67 67 43 DF 87 E7 82 E2 42 22 86 18 A3"

The process NOTEPAD.EXE:3300 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 C5 61 2F 31 33 36 7A B4 2E 59 5B A2 3B FF 2A"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

.text

.rdata

@.data

.idata

.ndata

.rsrc

@.brdata

C:\Work\nsis-unicode\build\udebug\stub_zlib\stub_zlib.pdb

%s=%s

RegDeleteKeyExW

PSAPI.DLL

Kernel32.DLL

RH.HU

M%DI1

_.xcA

`.rdata

@.reloc

KERNEL32.dll

USER32.dll

GDI32.dll

LangDLL.dll

ole32.dll

System.dll

4E.iQ3

:2.Pq:

'6e.sn

n.irA!

V2%cp1%

GetWindowsDirectoryW

ExitWindowsEx

GetAsyncKeyState

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegEnumKeyW

RegCreateKeyExW

RegCloseKey

RegDeleteKeyW

RegOpenKeyExW

ADVAPI32.dll

COMCTL32.dll

VERSION.dll

)-.Yln

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45.1-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

p.azU'

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00112DB4_Rar\%original file name%.exe

%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll

c:\%original file name%.exe

hXXp://VVV.ledyazilim.com/logo.gif

hXXp://ksandrafashion.com/logo.gif

hXXp://VVV.lafyeri.com/images/logo.gif

hXXp://kulppasur.com/logo.gif

hXXp://toalladepapel.com.ar/images/logo.gif

hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif

hXXp://lazarea.ro/images/logo.gif

hXXp://koonadance2.com/images/logo.gif

hXXp://kuplu.bel.tr/images/logo.gif

hXXp://VVV.liderancaspoliticas.com.br/logo.gif

hXXp://VVV.legalbilgisayar.com/img/logo.gif

hXXp://lifecom24.co.cc/images/logo.gif

\.ttpU2I

hXXp://89.

.info/home.giN%

[Wr%S

?%XYZ[_

.text^

4.AtT<x

toskrnl.exe

.klkjw:9fqwielu

sc.pBT

PAD.EXE

o4&?%x=

J.DLL

GUrlA'G5

HTTP)s'cfp

Lxo.ENHCDM

wWEBWUPD

n .pZ

?456789:;<=

'()* ,-./01230 0

.HpT.#[3

av%xQ

MSVCRT.dll

WS2_32.dll

SHFileOperationA

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

@Jump: %d

Aborting: "%s"

Call: %d

detailprint: %s

Sleep(%d)

SetFileAttributes: "%s":X

CreateDirectory: "%s" (%d)

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: "%s" created

Rename on reboot: %s

IfFileExists: file "%s" exists, jumping %d

IfFileExists: file "%s" does not exist, jumping %d

Rename: %s

Rename failed: %s

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

File: skipped: "%s" (overwriteflag=%d)

File: wrote %d to "%s"

Delete: "%s"

MessageBox: %d,"%s"

RMDir: "%s"

Exch: stack < %d elements

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

ExecShell: success ("%s": file:"%s" params:"%s")

Exec: command="%s"

Exec: success ("%s")

Exec: failed createprocess ("%s")

Error registering DLL: %s not found in %s

CopyFiles "%s"->"%s"

Error registering DLL: Could not load %s

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

WriteINIStr: wrote [%s] %s=%s in %s

DeleteRegValue: "%s\%s" "%s"

DeleteRegKey: "%s\%s"

WriteRegStr: "%s\%s" "%s"="%s"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegBin: "%s\%s" "%s"="%s"

WriteReg: error writing into "%s\%s" "%s"

WriteReg: error creating key "%s\%s"

created uninstaller: %d, "%s"

settings logging to %d

logging set to %d

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Section: "%s"

Skipping section: "%s"

New install of "%s" to "%s"

Delete: DeleteFile("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile failed("%s")

RMDir: RemoveDirectory invalid input("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory failed("%s")

*?|<>/":

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

invalid registry key

x%c

\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll

p\nsh2.tmp

ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll

callback%d

%Program Files%

\System.dll

\LangDLL.dll

SupTab.dll

BHOEnabler.exe

SupIePluginServiceUpdate.exe

indexIE.html

indexIE8.html

skin.css

style.css

ver.txt

\web\_locales

\web\_locales\en-US

messages.json

\web\_locales\es-419

\web\_locales\es-ES

\web\_locales\fr-BE

\web\_locales\fr-CA

\web\_locales\fr-CH

\web\_locales\fr-FR

\web\_locales\fr-LU

\web\_locales\it-CH

\web\_locales\it-IT

\web\_locales\pl

\web\_locales\pt-BR

\web\_locales\ru

\web\_locales\ru-MO

\web\_locales\tr-TR

\web\_locales\vi-VI

\web\_locales\zh-CN

\web\_locales\zh-TW

\web\img

default_logo.png

google.com.png

icon128.png

icon16.png

icon48.png

loading.gif

\web\js

background.js

ga.js

jquery-base.js

jquery.autocomplete.js

js.js

json2.js

xa.js

xagainit.js

Software\Microsoft\Windows\CurrentVersion\Uninstall\SupTab

\uninstall.exe

1.1.1.0

\SupTab.dll

\BHOEnabler.exe" -enablebho -bhoid={3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}

\SupIePluginServiceUpdate.exe"

Nullsoft Install System (Unicode) v2.45.1-Unicode

\wininit.ini

%Program Files%\

\Temp\nsh2.tmp

File: wrote 5120 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll"

~1\Temp\nsh2.tmp\LangDLL.dll"

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp

%Program Files%\SupTab

p\nsm1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp

1441914

1376500

1179988

1114414

%original file name%.exe_212_rwx_005A1000_00011000:

p.azU'

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\00112DB4_Rar\%original file name%.exe

%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\LangDLL.dll

.text

c:\%original file name%.exe

hXXp://VVV.ledyazilim.com/logo.gif

hXXp://ksandrafashion.com/logo.gif

hXXp://VVV.lafyeri.com/images/logo.gif

hXXp://kulppasur.com/logo.gif

hXXp://toalladepapel.com.ar/images/logo.gif

hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif

hXXp://lazarea.ro/images/logo.gif

hXXp://koonadance2.com/images/logo.gif

hXXp://kuplu.bel.tr/images/logo.gif

hXXp://VVV.liderancaspoliticas.com.br/logo.gif

hXXp://VVV.legalbilgisayar.com/img/logo.gif

hXXp://lifecom24.co.cc/images/logo.gif

\.ttpU2I

hXXp://89.

.info/home.giN%

[Wr%S

?%XYZ[_

.text^

4.AtT<x

toskrnl.exe

.klkjw:9fqwielu

sc.pBT

PAD.EXE

o4&?%x=

J.DLL

GUrlA'G5

HTTP)s'cfp

Lxo.ENHCDM

wWEBWUPD

n .pZ

?456789:;<=

'()* ,-./01230 0

.HpT.#[3

av%xQ

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

%original file name%.exe_212_rwx_00BA0000_01033000:

c:\windows

hXXp://VVV.ledyazilim.com/logo.gif

hXXp://ksandrafashion.com/logo.gif

hXXp://VVV.lafyeri.com/images/logo.gif

hXXp://kulppasur.com/logo.gif

hXXp://toalladepapel.com.ar/images/logo.gif

hXXp://VVV.ecole-saint-simon.net/index_top/logo.gif

hXXp://lazarea.ro/images/logo.gif

hXXp://koonadance2.com/images/logo.gif

hXXp://kuplu.bel.tr/images/logo.gif

hXXp://VVV.liderancaspoliticas.com.br/logo.gif

hXXp://VVV.legalbilgisayar.com/img/logo.gif

hXXp://lifecom24.co.cc/images/logo.gif

%System%\drivers\flojpn.sys

11269215939

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

h.rdata

H.data

.reloc

ntoskrnl.exe

Opera/8.89 (Windows NT 6.0; U; en)

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

NOTEPAD.EXE

WINMINE.EXE

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

hXXp://

hXXp://klkjwre77638dfqwieuoi888.info/

VVV.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\abp470n5

WINDOWS

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

BackWeb Plug-in - 4476822

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

tcpsr

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

ASHWEBSV.

DRWEB32W.

DRWEBSCD.

DRWEBUPW.

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBPROXY.

WEBSCANX.

WEBTRAP.

sfc_os.dll

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetWindowsDirectoryA

GetProcessHeap

WinExec

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

.rdata

.data

.xdata

@.CRT

GUrlA'G5

HTTP)s'cfp

Lxo.ENHCDM

wWEBWUPD

n .pZ

'()* ,-./01230 0

.HpT.#[3

av%xQ

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

%original file name%.exe_212_rwx_01CA0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

%original file name%.exe_212_rwx_01CB0000_00001000:

|%original file name%.exeM_212_

Explorer.EXE_932_rwx_00FF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

Explorer.EXE_932_rwx_01DE0000_00001000:

|explorer.exeM_932_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   netsh.exe:1992
   WINMINE.EXE:3612
   WINMINE.EXE:3740
   WINMINE.EXE:3852
   WINMINE.EXE:3672
   WINMINE.EXE:3720
   WINMINE.EXE:3176
   NOTEPAD.EXE:3452
   NOTEPAD.EXE:3580
   NOTEPAD.EXE:3384
   NOTEPAD.EXE:3816
   NOTEPAD.EXE:4064
   NOTEPAD.EXE:3884
   NOTEPAD.EXE:3516
   NOTEPAD.EXE:3420
   NOTEPAD.EXE:3548
   NOTEPAD.EXE:3220
   NOTEPAD.EXE:3484
   NOTEPAD.EXE:4092
   NOTEPAD.EXE:3144
   NOTEPAD.EXE:3336
   NOTEPAD.EXE:3760
   NOTEPAD.EXE:3268
   NOTEPAD.EXE:3644
   NOTEPAD.EXE:3788
   NOTEPAD.EXE:3300
   

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\winljhgh.exe (601 bytes)
   %WinDir%\system.ini (72 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (11 bytes)
   %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (528 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\LangDLL.dll (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00112DB4_Rar\%original file name%.exe (7547 bytes)
   %Program Files%\Common Files\Java\Java Update\jusched.exe (856 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.