MD5: b22b179bcb344794e47dbabda25b759e
SHA1: a3903b7be2300cab5aedaafe5c73b7de5fc0ace7
SHA256: b62fa5583d550d6a97ff60d47bfb33bd8995e73beeec081a1b3c9a5118f41f2c
SSDeep: 1536:bFVDip3Aq45XaqyEf0X6B6po6uaE7POHJ62NbvDQiNuXkasMr0u2eB08B:bF0aq45n0qkpxeOthvDNNuf0NU0M
Size: 91648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2012-03-10 15:42:37
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

%original file name%.exe:1320
%original file name%.exe:1504

The Worm injects its code into the following process(es):

lsass.exe:1544

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lsass.exe (601 bytes)

Registry activity

The process %original file name%.exe:1320 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 68 14 0E 00 C1 36 CC 47 2C 86 10 D6 1A DE 60"

The process %original file name%.exe:1504 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 03 51 96 42 F3 EF A9 33 A7 84 7F 79 66 2A 00"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: MagicISO, Inc.
Product Name: MagicDisc
Product Version: 2.07.0106
Legal Copyright:
Legal Trademarks:
Original Filename: MagicDisc.exe
Internal Name: MagicDisc
File Version: 2.07.0106
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

KERNEL32.dll

keybd_event

VkKeyScanA

USER32.dll

RegCreateKeyExA

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

SHLWAPI.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

%s\%s

taskkill /IM %s

del "%s">nul

if exist "%s" goto Repeat

ping 1.1.1.1 -w 5000 >nul

%s\removeMe%i%i%i%i.bat

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

website=1

\google_cache%s.tmp

NICK

JOIN

PRIVMSG

%s :%s

%s %s :%s

%s %s

%s %s %s

%s %s "" "lol" :%s

Executed process "%s".

.torrent

\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

364855.exe

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

\Desktop.ini

sw.l33t-milf.info

fbi.edu

Windows Firewall

lsass.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe

lsass.exe_1544_rwx_00400000_00011000:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

KERNEL32.dll

keybd_event

VkKeyScanA

USER32.dll

RegCreateKeyExA

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

SHLWAPI.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

%s\%s

taskkill /IM %s

del "%s">nul

if exist "%s" goto Repeat

ping 1.1.1.1 -w 5000 >nul

%s\removeMe%i%i%i%i.bat

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

website=1

\google_cache%s.tmp

NICK

JOIN

PRIVMSG

%s :%s

%s %s :%s

%s %s

%s %s %s

%s %s "" "lol" :%s

Executed process "%s".

.torrent

\autorun.inf

icon=%SystemRoot%\system32\SHELL32.dll,4

364855.exe

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

\Desktop.ini

sw.l33t-milf.info

fbi.edu

Windows Firewall

lsass.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1320
   %original file name%.exe:1504
   

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\lsass.exe (601 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Windows Firewall" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\lsass.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.