MD5: b36f2f562c380df2d498c1a18d29ef67
SHA1: 7b9703feb87d790882190379f1ba7e9f11212e95
SHA256: 8b53f4f531efbf5da08cf45905b67c97300093fe3956499b57852a8c1471e6d7
SSDeep: 6144:Xsba1YT9AjcBisS5 j8bRRTrT1 Jc1SS rBszhxAecTzZ6EI543n6/KnrY82CGl9:XZ283Trp ST4BImlZ
Size: 645120 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: RightClick
Created at: 2012-09-04 22:34:31

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

reg.exe:1040
reg.exe:536
reg.exe:260
reg.exe:428
b36f2f562c380df2d498c1a18d29ef67.exe:596

The Worm injects its code into the following process(es):

vbc.exe:1356

File activity

The process vbc.exe:1356 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\wat (33 bytes)
%Documents and Settings%\%current user%\Application Data\csrss.exe (3860 bytes)

The process b36f2f562c380df2d498c1a18d29ef67.exe:596 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Windows.exe (4185 bytes)

Registry activity

The process vbc.exe:1356 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 23 25 96 1B A8 2E DF 32 98 A9 91 D2 AC 0F 2C"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"OP9PA14WI3" = "pinkie2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"OP9PA14WI3" = "August 30, 2013"

The process reg.exe:1040 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 CE 03 ED 27 B5 C2 E7 80 39 B7 FE 7D 58 E6 E5"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"csrss.exe" = "%Documents and Settings%\%current user%\Application Data\csrss.exe:*:Enabled:Windows Messanger"

The process reg.exe:536 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 E7 C0 3E 1E 85 D4 B9 F9 FD 19 9D DE BC 89 EF"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:260 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 76 29 CA 96 23 09 A0 02 8A 5E 42 40 5C 5C 8E"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:428 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 5C 0B 7E 8B 90 F5 8D A6 42 F2 2B 4B 3E 3D 94"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727]
"vbc.exe" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger"

The process b36f2f562c380df2d498c1a18d29ef67.exe:596 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 43 81 B3 CF 9B AF 0A 6D C3 81 B2 CE DB E3 93"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%Documents and Settings%\%current user%\Application Data\Windows.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   reg.exe:1040
   reg.exe:536
   reg.exe:260
   reg.exe:428
   b36f2f562c380df2d498c1a18d29ef67.exe:596

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Application Data\wat (33 bytes)
   %Documents and Settings%\%current user%\Application Data\csrss.exe (3860 bytes)
   %Documents and Settings%\%current user%\Application Data\Windows.exe (4185 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows" = "%Documents and Settings%\%current user%\Application Data\Windows.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.