Worm.Win32.Ainslot.VB_82e202ce04

by malwarelabrobot on July 31st, 2013 in Malware Descriptions.

Trojan-Dropper.Win32.FrauDrop.abdpt (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Backdoor.Win32.Fynloski!IK (Emsisoft), Worm.Win32.Ainslot.VB.FD, WormAinslot_VariantOfZeus.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 82e202ce0491b2203055f664853d9995
SHA1: 7458550e2b7931ececaf3afa05ec5276a0e197c6
SHA256: cdbe39c8c76fb6a43aa6c4e4d034dfe9c3829b49f43475275601b4f8aed6e802
SSDeep: 12288:MVGF6O zzmQdx vvNpHSj0OQxploTvZtvWs4vQpIP:M 6O ztaNpHSQOepWRcQp
Size: 991232 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable
Company: no certificate found
Created at: 2013-06-27 00:45:38


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

82e202ce0491b2203055f664853d9995.exe:740
reg.exe:420
reg.exe:440
reg.exe:1564
reg.exe:948
attrib.exe:1272
wscript.exe:1064

The Worm injects its code into the following process(es):

cvtres.exe:1244

File activity

The process 82e202ce0491b2203055f664853d9995.exe:740 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\SERA Data\3132.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\SERA Data\sec43.aan (6432 bytes)

The process cvtres.exe:1244 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\fotos_bs.exe (35 bytes)
%Documents and Settings%\%current user%\Application Data\logg2 (33 bytes)

The process wscript.exe:1064 makes changes in a file system.
The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\SERA Data\3132.txt (0 bytes)

Registry activity

The process 82e202ce0491b2203055f664853d9995.exe:740 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 9A B0 2C DC C9 86 B9 2A 07 91 5D 0D 8D 69 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The process reg.exe:420 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 3A D4 66 A0 54 38 F2 6F F1 AB 9E C8 DC F4 01"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"fotos_bs.exe" = "%Documents and Settings%\%current user%\Application Data\fotos_bs.exe:*:Enabled:Windows Messanger"

The process reg.exe:440 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 3C 1A 40 E7 14 73 98 87 26 CC F2 23 C2 8B 93"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"cvtres.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger"

The process reg.exe:1564 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E DE FA 7A 86 FB D6 F3 83 61 FD CC FA E4 B4 82"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:948 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 5D F8 AB 6A F5 43 AD 38 60 2F 0F A4 02 CF FB"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process attrib.exe:1272 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3A C2 A8 3C 4F 05 16 56 98 EA 7E FF 14 86 D7"

The process cvtres.exe:1244 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 4F EC D6 F8 E3 98 FE BD 52 0D 67 3F 3C 7B 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"6OCU7CGL4G" = "fotos3"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"6OCU7CGL4G" = "July 30, 2013"

The process wscript.exe:1064 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 28 C7 FD BB C6 1C 7F 25 9F D8 2D B6 79 0D BD"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sec43" = "%Documents and Settings%\%current user%\Application Data\SERA Data\sec43.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    82e202ce0491b2203055f664853d9995.exe:740
    reg.exe:420
    reg.exe:440
    reg.exe:1564
    reg.exe:948
    attrib.exe:1272
    wscript.exe:1064

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\SERA Data\3132.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SERA Data\sec43.aan (6432 bytes)
    %Documents and Settings%\%current user%\Application Data\fotos_bs.exe (35 bytes)
    %Documents and Settings%\%current user%\Application Data\logg2 (33 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "sec43" = "%Documents and Settings%\%current user%\Application Data\SERA Data\sec43.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now