MD5: ad6eda33abfc8a7dfd311f695dd7e611
SHA1: 5d7fdf3d6f8c02d6c65da8fd1849f76fed9ae692
SHA256: 31204046ef1a46ef62cb6af2eba9510810b108bea63d2461b0a47ccc9417ccc6
SSDeep: 12288:tabTqe06Sdamj78TVPNoSvhw1lb9JkZRuckU7zFVDfii6: qeFG78VPNoSvKb9NYz16
Size: 514560 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: YoutubeDownloaderHD.com
Created at: 2012-09-12 15:17:28

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

reg.exe:344
reg.exe:1588
reg.exe:1180
reg.exe:580
ad6eda33abfc8a7dfd311f695dd7e611.exe:1676

The Worm injects its code into the following process(es):

vbc.exe:1736

File activity

The process vbc.exe:1736 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\java1 (33 bytes)
%Documents and Settings%\%current user%\Application Data\bsjava1.exe (3860 bytes)

The process ad6eda33abfc8a7dfd311f695dd7e611.exe:1676 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WinLogs32.Exe (3073 bytes)

Registry activity

The process vbc.exe:1736 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 9D 71 0E 22 FF 27 76 FF 9B EE 16 D2 BD 55 81"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"VCI56ZIQPG" = "August 15, 2013"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"VCI56ZIQPG" = "blackshades"

The process reg.exe:344 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 16 07 B2 33 1E EC 6B 2A 1D F0 5F 06 A3 03 87"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"bsjava1.exe" = "%Documents and Settings%\%current user%\Application Data\bsjava1.exe:*:Enabled:Windows Messanger"

The process reg.exe:1588 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F F7 2B C5 42 CD 50 2D 98 AE E7 6E BF C4 C4 8E"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"vbc.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger"

The process reg.exe:1180 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 43 DF 87 D6 00 1F 8B 74 32 24 54 85 48 6A 36"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:580 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A AB 72 F2 AA 0C B3 B4 D7 47 F8 E6 C5 05 B9 FD"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process ad6eda33abfc8a7dfd311f695dd7e611.exe:1676 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 8F 7D 3D 7A 9A B1 75 3D 98 37 92 3C EE 89 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinLogs32" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WinLogs32.Exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   reg.exe:344
   reg.exe:1588
   reg.exe:1180
   reg.exe:580
   ad6eda33abfc8a7dfd311f695dd7e611.exe:1676

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Application Data\java1 (33 bytes)
   %Documents and Settings%\%current user%\Application Data\bsjava1.exe (3860 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WinLogs32.Exe (3073 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "WinLogs32" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\WinLogs32.Exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.