Worm.Win32.Ainslot.VB_b5ce1d8ac9
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Worm.SuspectCRC!IK (Emsisoft), Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: b5ce1d8ac91872ad3085f2c7495a9df5
SHA1: c0e4465b71e98317f38a365e1b0fe1f2de762db5
SHA256: e041481ebdcaa886af10d86806c33abbe4c31ce21e3b7f3a1252c692b95253ad
SSDeep: 6144:q2px6T XTXbZWFx52H6rG10maItU6aXFb1Uxs:q46iBWZhU0rIe6n
Size: 222720 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-10-18 21:20:12
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
AppLaunch.exe:1544
AppLaunch.exe:1620
AppLaunch.exe:1032
AppLaunch.exe:428
AppLaunch.exe:1744
AppLaunch.exe:480
reg.exe:1768
reg.exe:1784
reg.exe:1752
reg.exe:1008
The Worm injects its code into the following process(es):
b5ce1d8ac91872ad3085f2c7495a9df5.exe:576
wmiapsvrd.exe:1632
audiadg.exe:392
File activity
The process b5ce1d8ac91872ad3085f2c7495a9df5.exe:576 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\System\wmiapsvrd.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\System\audiadg.exe (6 bytes)
The process AppLaunch.exe:1032 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
D:\ffpw.dat (2 bytes)
The process AppLaunch.exe:428 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pws_chro.bss (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_cdk.bss (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_ff.bss (39 bytes)
%Documents and Settings%\%current user%\Application Data\erlog1018 (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_mail.bss (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_mess.bss (65 bytes)
%Documents and Settings%\%current user%\Application Data\wiinlogon.exe (59 bytes)
The process AppLaunch.exe:480 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
D:\chro.dat (2 bytes)
Registry activity
The process b5ce1d8ac91872ad3085f2c7495a9df5.exe:576 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 E4 8F 65 34 2B 64 0A 68 2B A8 6D 63 D6 D3 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\System]
"audiadg.exe" = ""
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process wmiapsvrd.exe:1632 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 80 4D 43 3B D2 1E 5F DB AE 05 F0 17 B3 81 7C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process AppLaunch.exe:1544 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 32 3C 02 BA 87 3B 1A 40 E0 4C C6 AA D2 BA 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process AppLaunch.exe:1620 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 B6 E8 0D CF B7 16 4A 6A 2A 22 B0 40 F7 39 E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process AppLaunch.exe:1032 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 2E DB DF EA 4A 9D D6 19 07 EE AD DE 3E 23 A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process AppLaunch.exe:428 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 1A 69 29 E9 57 EE FB 3B 93 B8 EC 8B 42 D4 8E"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"YQ4EYNRDA8" = "August 6, 2013"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"ipoint.exe" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"YQ4EYNRDA8" = "1018torrents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8BF88EAD-ABAF-6CFA-8BCF-02DEBF4B0B6A}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
[HKCU\Software\Microsoft\Active Setup\Installed Components\{8BF88EAD-ABAF-6CFA-8BCF-02DEBF4B0B6A}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ipoint.exe" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ipoint.exe" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
The process AppLaunch.exe:1744 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 D5 7E 31 0A 0D F6 E9 64 DC 0A 28 87 73 EA 82"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process AppLaunch.exe:480 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 83 4A E9 6C DA B3 91 C0 E0 F4 B2 E9 21 B1 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process reg.exe:1768 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 F7 7D 54 E4 8C 6B FA 49 FF 8B 6A 9C F0 7D CC"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:1784 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 FA 16 57 77 42 FB 25 BB BC 9C 21 C6 4C 29 DE"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"wiinlogon.exe" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe:*:Enabled:Windows Messanger"
The process reg.exe:1752 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 D0 94 71 D8 EF 43 1A 86 33 C6 FF B4 BE BF 48"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:1008 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 37 B3 2B 4E A3 04 D7 3F 43 C3 CC B4 18 C5 7C"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"AppLaunch.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger"
The process audiadg.exe:392 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A ED BB E5 5A 47 A0 E7 7B 75 C1 E8 4C 7B 52 9B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\System]
"wmiapsvrd.exe" = "wmiapsvrd"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\System\audiadg.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.ipinfodb.com/v2/ip_query_country.php?key=33134207068e7a95c2b45275a388806be6b9ca837fe782832723b99fb21a7a8c&timezone=off |  67.212.77.12 |
| kkklll.zapto.org |  65.130.153.114 |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
AppLaunch.exe:1544
AppLaunch.exe:1620
AppLaunch.exe:1032
AppLaunch.exe:428
AppLaunch.exe:1744
AppLaunch.exe:480
reg.exe:1768
reg.exe:1784
reg.exe:1752
reg.exe:1008 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\System\wmiapsvrd.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\System\audiadg.exe (6 bytes)
D:\ffpw.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_chro.bss (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_cdk.bss (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_ff.bss (39 bytes)
%Documents and Settings%\%current user%\Application Data\erlog1018 (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_mail.bss (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pws_mess.bss (65 bytes)
%Documents and Settings%\%current user%\Application Data\wiinlogon.exe (59 bytes)
D:\chro.dat (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ipoint.exe" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ipoint.exe" = "%Documents and Settings%\%current user%\Application Data\wiinlogon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\System\audiadg.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
