Worm.Win32.Ainslot.VB_daa480c7c6
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Inject!IK (Emsisoft), Worm.Win32.Ainslot.VB.FD, WormAinslot_VariantOfZeus.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: daa480c7c67c52a37574ab93b32c1ce2
SHA1: 1c4c9a9aa18e94bd6557f218a2fbef5bf5fcc1bf
SHA256: 8674ca01ae8bd414feb8066e042c1571298577caa661b050cad78a00d075c4e8
SSDeep: 12288:r7iNEgqA6Nn9BLH0FaLHhNHzxDjHqmS8lVlcDpv7j8zv5mD6WvPsk :riETNpumvlVMpv7gzv5G6OPs5
Size: 648192 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable
Company: no certificate found
Created at: 2012-07-19 08:06:14
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
WormAutorun. A worm spreads via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Process activity
The Worm creates the following process(es):
AppLaunch.exe:1900
AppLaunch.exe:1660
reg.exe:748
reg.exe:1904
reg.exe:1748
reg.exe:368
The Worm injects its code into the following process(es):
MFC110D.exe:1600
iprtrmgr.exe:1208
daa480c7c67c52a37574ab93b32c1ce2.exe:1792
File activity
The process AppLaunch.exe:1900 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\VXH48YO3VI.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windows (33 bytes)
The process daa480c7c67c52a37574ab93b32c1ce2.exe:1792 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\iprtrmgr.exe (4185 bytes)
%Documents and Settings%\%current user%\Templates\MFC110D.exe (8 bytes)
Registry activity
The process MFC110D.exe:1600 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 3C 54 9C AB EE E5 BE 87 8B D1 13 ED 29 A1 72"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"iprtrmgr.exe" = "IP Router Manager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\%current user%\Templates\MFC110D.exe"
The process AppLaunch.exe:1900 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 98 49 26 C1 5D F4 38 89 6B 95 0C EB 14 CE 40"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"J49BOA75KW" = "July 10, 2013"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"J49BOA75KW" = "New"
The process AppLaunch.exe:1660 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 8B 5F E1 B9 FF 3E 47 8E 98 45 5C 84 CC C0 07"
The process reg.exe:748 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 DC 8F B9 CA D9 7C A0 C3 57 ED F0 59 A6 3F C4"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"VXH48YO3VI.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\VXH48YO3VI.exe:*:Enabled:Windows Messanger"
The process reg.exe:1904 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 59 0B 05 D9 75 16 0F DF C7 03 80 FE EC 0E ED"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:1748 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 2A 3F F5 30 55 95 2E 73 80 A0 0D E3 30 18 4C"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:368 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 39 A4 14 11 48 F5 E5 11 73 C0 2E C2 3D 85 54"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"AppLaunch.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger"
The process iprtrmgr.exe:1208 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 C3 24 9D C7 AA 10 50 A5 97 41 A8 61 15 04 6B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process daa480c7c67c52a37574ab93b32c1ce2.exe:1792 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 83 3D 55 C0 57 59 27 9A B3 B6 92 76 FF 6A F6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Templates]
"MFC110D.exe" = "MFCDLL Shared Library - Debug Version"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm spreads via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
AppLaunch.exe:1900
AppLaunch.exe:1660
reg.exe:748
reg.exe:1904
reg.exe:1748
reg.exe:368 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temp\VXH48YO3VI.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windows (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iprtrmgr.exe (4185 bytes)
%Documents and Settings%\%current user%\Templates\MFC110D.exe (8 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\%current user%\Templates\MFC110D.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
