MD5: 84ee241c912800969df247f4ad3e5a98
SHA1: 26038cbe12d52324bcb4f529fbe4a0ce1ba1db0e
SHA256: 886dd4eb02236e7c85d68e88d3403dbc11a8d64a37af55bbb8ac604efcbfd870
SSDeep: 6144:/ZvXxTpe1vE5Y9UHTP3/lOToqD3FqeGc2IrS8z7KjMCE0E:/Zv6eH3/Q3D3FL2SsMCP
Size: 290304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Conduit
Created at: 2013-07-29 22:09:30

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

reg.exe:236
reg.exe:1260
reg.exe:820
reg.exe:456
84ee241c912800969df247f4ad3e5a98.exe:480

The Worm injects its code into the following process(es):

vbc.exe:1640

File activity

The process vbc.exe:1640 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\hot.exe (3860 bytes)
%Documents and Settings%\%current user%\Application Data\dani (34 bytes)

Registry activity

The process vbc.exe:1640 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 B9 46 9C 10 BF 8D A2 73 74 A7 B0 05 4D E3 82"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"9D3RXD26XZ" = "blackshades"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"9D3RXD26XZ" = "August 24, 2013"

The process reg.exe:236 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 10 72 7F 8A BE ED 5F CB B3 35 48 32 16 E5 1C"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"hot.exe" = "%Documents and Settings%\%current user%\Application Data\hot.exe:*:Enabled:Windows Messanger"

The process reg.exe:1260 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 6C 74 5A 87 C8 8F B8 27 35 AE BC 90 81 4E AA"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:820 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 89 73 2F 42 CD 51 B9 39 73 12 6D 28 1A A5 06"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"vbc.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger"

The process reg.exe:456 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 A1 35 C5 3F D1 65 63 D2 F5 88 73 0F 28 32 0B"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process 84ee241c912800969df247f4ad3e5a98.exe:480 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 F7 FF 1B 01 C6 BD CD ED 71 A6 FA 1B 2D DF C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Java" = "%Documents and Settings%\%current user%\Application Data\Java.exe"

Network activity (URLs)

URL	IP
hxxp://api.ipinfodb.com/v2/ip_query_country.php?key=&timezone=off	67.212.77.12
cabocelg.no-ip.biz	41.102.18.140

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   reg.exe:236
   reg.exe:1260
   reg.exe:820
   reg.exe:456
   84ee241c912800969df247f4ad3e5a98.exe:480

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Application Data\hot.exe (3860 bytes)
   %Documents and Settings%\%current user%\Application Data\dani (34 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Java" = "%Documents and Settings%\%current user%\Application Data\Java.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.