MD5: 4704e6c8f118a401f9905f818c5dc007
SHA1: a6834f7af79b64e8624904d665ce5a08b939b583
SHA256: 54224df4f58b2c69f858e3ba98a2fbd61bc538df1c40ecf11f66eb0dfb74835b
SSDeep: 24576:5jdtAEM5KtSclaUz6Fw/jr9QOKtsccKww BR78W mb8pL/zRj4zgsy/ZbFdM:RdU4c ZJ9nJBBB8pLlj4zgR/J
Size: 1137662 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2012-08-15 13:02:15
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

GoogleUpdate.exe:1308
GoogleUpdate.exe:1988
GoogleUpdate.exe:756
A5OINK8SAER9Y.exe:1684
%original file name%.exe:468

The Worm injects its code into the following process(es):

GoogleUpdate.exe:1812
GoogleUpdate.exe:316
svchost.exe:868
svchost.exe:1180
svchost.exe:1480
svchost.exe:328

File activity

The process GoogleUpdate.exe:1308 makes changes in the file system.
The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\Install (0 bytes)

The process GoogleUpdate.exe:316 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_et.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_iw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en-GB.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateSetup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ml.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ur.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sl.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_nl.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_gu.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_de.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-BR.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ca.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_no.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ko.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_mr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fi.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es-419.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler64.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_is.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_vi.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_tr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ta.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sw.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_am.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_kn.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ms.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ja.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fr.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-PT.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lv.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_uk.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateHelper.msi (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sk.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_it.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bn.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fa.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bg.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateBroker.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ru.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ro.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pl.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_cs.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_el.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fil.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_da.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-TW.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_th.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_te.dll (29 bytes)
%WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (970 bytes)
%WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (918 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-CN.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hi.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lt.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_id.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hu.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ar.dll (26 bytes)

The process A5OINK8SAER9Y.exe:1684 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\GUMD.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files%\GUMD.tmp\goopdateres_gu.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_sv.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fil.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_hr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_kn.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_th.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_sl.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fr.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files%\GUMD.tmp\goopdateres_ar.dll (26 bytes)
%Program Files%\GUMD.tmp\goopdateres_en.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_lt.dll (28 bytes)
%Program Files%\GUMD.tmp\psmachine.dll (157 bytes)
%Program Files%\GUMD.tmp\goopdateres_ur.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_it.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_uk.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_no.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_am.dll (25 bytes)
%Program Files%\GUMD.tmp\goopdateres_ja.dll (24 bytes)
%Program Files%\GUMD.tmp\goopdateres_mr.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_hi.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files%\GUMD.tmp\goopdateres_ml.dll (31 bytes)
%Program Files%\GUMD.tmp\goopdateres_cs.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ta.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_ms.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ko.dll (23 bytes)
%Program Files%\GUMD.tmp\goopdateres_te.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_pl.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_de.dll (31 bytes)
%Program Files%\GUMD.tmp\GoogleUpdate.exe (116 bytes)
%Program Files%\GUMD.tmp\goopdateres_es.dll (31 bytes)
%Program Files%\GUMD.tmp\psuser.dll (157 bytes)
%Program Files%\GUMD.tmp\goopdateres_bg.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_bn.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ru.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_el.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_is.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_sk.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleCrashHandler.exe (180 bytes)
%Program Files%\GUMD.tmp\goopdateres_hu.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_et.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_id.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_da.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_lv.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_ca.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files%\GUMD.tmp\goopdateres_iw.dll (26 bytes)
%Program Files%\GUMD.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files%\GUMD.tmp\goopdateres_sr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdate.dll (1990 bytes)
%Program Files%\GUMD.tmp\goopdateres_vi.dll (28 bytes)
%Program Files%\GUTE.tmp (25429 bytes)
%Program Files%\GUMD.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUMD.tmp\goopdateres_ro.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_nl.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_fa.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_tr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fi.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleCrashHandler64.exe (233 bytes)
%Program Files%\GUMD.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_sw.dll (29 bytes)

The Worm deletes the following file(s):

%Program Files%\GUMD.tmp (0 bytes)

The process %original file name%.exe:468 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.bat (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.txt (158 bytes)
%Documents and Settings%\%current user%\Application Data\Trion\svchost.exe (17563 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.txt (0 bytes)

Registry activity

The process GoogleUpdate.exe:1308 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 7A E0 34 D4 E6 4C C8 73 7C 4B C4 80 A2 D8 9E"

[HKCU\Software\Google\Update\proxy]
"source" = "direct"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"
"iid"

[HKCU\Software\Google\Update]
"old-uid"
"uid"

The process GoogleUpdate.exe:1812 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 83 9D A7 6B 9C 7D BB BE 00 98 92 3D D2 D3 12"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Update]
"eulaaccepted"

The process GoogleUpdate.exe:316 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"

[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdate.exe"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"
"Version" = "3"

[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "CHMB"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"

[HKCU\Software\Classes\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"

[HKCU\Software\Google\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"

[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.21.111"

[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"iid" = "{21247E6F-D9B5-2BDB-08EC-CFCF0FB3788C}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKCU\Software\Google\Update]
"Version" = "1.3.21.111"

[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1400777004"

[HKCU\Software\Classes\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKCU\Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"
"pv" = "1.3.21.111"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 16 77 69 18 78 5E 37 4C B8 62 24 28 4D 09 BE"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update]
"GoogleUpdate.exe" = "Google Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCU\Software\Google\Update]
"UninstallCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /uninstall"

[HKCU\Software\Classes\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateOnDemand.exe"

[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
"ProductName" = "Google Update"

[HKCU\Software\Classes\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKCU\Software\Google\Update]
"eulaaccepted"
"ui"

[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKCU\Software\Google\Update]
"old-uid"
"LastChecked"
"uid"

The process GoogleUpdate.exe:1988 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 1F 37 54 49 19 61 DD 8B 42 8E 96 BD 64 A9 C2"

[HKCU\Software\Google\Update\proxy]
"source" = "direct"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Update\network\secure]
"c"
"sk"

The process GoogleUpdate.exe:756 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{2F0E2680-9FF5-43C0-B76E-114A56E93598}"

[HKCU\Software\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Google.OneClickProcessLauncherUser.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{E67BE843-BBBE-4484-95FB-05271AE86750}"

[HKCU\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"

[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassUser"

[HKCU\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\GoogleUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}]
"CLSID" = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"

[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{022105BD-948A-40C9-AB42-A3300DDF097F}"

[HKCU\Software\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"

[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCU\Software\Classes\GoogleUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{22181302-A8A6-4F84-A541-E5CBFC70CC43}"

[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll"

[HKCU\Software\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\NumMethods]
"(Default)" = "40"

[HKCU\Software\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll"

[HKCU\Software\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 B4 32 C5 04 72 6C 6F 69 72 A7 5B AE 34 78 02"

[HKCU\Software\Classes\GoogleUpdate.Update3WebUser\CLSID]
"(Default)" = "{22181302-A8A6-4F84-A541-E5CBFC70CC43}"

[HKCU\Software\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{2F0E2680-9FF5-43C0-B76E-114A56E93598}"

[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCU\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\GoogleUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogUser"

[HKCU\Software\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCU\Software\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCU\Software\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll"

[HKCU\Software\Classes\Google.OneClickProcessLauncherUser\CurVer]
"(Default)" = "Google.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Google.OneClickProcessLauncherUser]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{022105BD-948A-40C9-AB42-A3300DDF097F}"

[HKCU\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherUser"

[HKCU\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}]
"Policy" = "3"

[HKCU\Software\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCU\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Google.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"

[HKCU\Software\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\GoogleUpdate.Update3WebUser\CurVer]
"(Default)" = "GoogleUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{E67BE843-BBBE-4484-95FB-05271AE86750}"

[HKCU\Software\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"

[HKCU\Software\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}]
"(Default)" = "IApp"

[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Google.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"

The Worm deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32]
[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}]
[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Google\Update\network\secure]
"c"
"sk"

The process A5OINK8SAER9Y.exe:1684 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F A2 21 91 18 03 6E 55 E2 1F E7 D9 23 E2 D1 FF"

The process %original file name%.exe:468 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 5F 1C 43 C7 4B 87 35 94 49 50 C7 BA FB 1B 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Trion]
"svchost.exe" = "miroita extrapolee e'bahissant"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WVRTF.bat" = "WVRTF"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tools.l.google.com/service/update2
hxxp://tools.l.google.com/service/update2?w=6:kBkzqI4jJyMi8KhhKEcTwtwvqm5ZHo_yZ-YfsjMTl7PATAKMBq6gC1FVn1e57EgisvtFAd9zaUFDyNgcWHbXAVlmuEwr1dhTgby64ssO1JW5_9laE3sQqggOZoFLw2vKTi3-Jh_mpd-C6LObeNZ22CeDYDIPe8sh566xaJDwNOiews3HCjZzWQ4suS33b7YaVAnXz7H7JduwtRh6z1RxeqpxxKqJzjZ1k7sM4F7zBDRJBVHavGEXeRSwocxoU_HOXQLJgFE51Qby6MtS0aoRUyyS6lkDLDVG8HpRIxCk9yg3rmiEj6mjfED0X2Cc9GcK4KhdyRiweXzMaGyPDOz3tA
hxxp://redirector.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe
hxxp://r8.sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1
hxxp://r8.sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1
hxxp://tools.google.com/service/update2	74.125.143.102
hxxp://tools.google.com/service/update2?w=6:kBkzqI4jJyMi8KhhKEcTwtwvqm5ZHo_yZ-YfsjMTl7PATAKMBq6gC1FVn1e57EgisvtFAd9zaUFDyNgcWHbXAVlmuEwr1dhTgby64ssO1JW5_9laE3sQqggOZoFLw2vKTi3-Jh_mpd-C6LObeNZ22CeDYDIPe8sh566xaJDwNOiews3HCjZzWQ4suS33b7YaVAnXz7H7JduwtRh6z1RxeqpxxKqJzjZ1k7sM4F7zBDRJBVHavGEXeRSwocxoU_HOXQLJgFE51Qby6MtS0aoRUyyS6lkDLDVG8HpRIxCk9yg3rmiEj6mjfED0X2Cc9GcK4KhdyRiweXzMaGyPDOz3tA	74.125.143.102
hxxp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1	185.2.108.19
hxxp://cache.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe	173.194.71.138
hxxp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1	185.2.108.19

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /service/update2?w=6:kBkzqI4jJyMi8KhhKEcTwtwvqm5ZHo_yZ-YfsjMTl7PATAKMBq6gC1FVn1e57EgisvtFAd9zaUFDyNgcWHbXAVlmuEwr1dhTgby64ssO1JW5_9laE3sQqggOZoFLw2vKTi3-Jh_mpd-C6LObeNZ22CeDYDIPe8sh566xaJDwNOiews3HCjZzWQ4suS33b7YaVAnXz7H7JduwtRh6z1RxeqpxxKqJzjZ1k7sM4F7zBDRJBVHavGEXeRSwocxoU_HOXQLJgFE51Qby6MtS0aoRUyyS6lkDLDVG8HpRIxCk9yg3rmiEj6mjfED0X2Cc9GcK4KhdyRiweXzMaGyPDOz3tA HTTP/1.1

User-Agent: Google Update/1.3.21.111;winhttp;cup

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

If-Match: "t_DrlU6FN5dkjNRz2w_YJatTwqY"

Host: tools.google.com

Content-Length: 518

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.21.111" shell_version="1.3.21.103" ismachine="0" sessionid="{B52B1E18-BD56-411D-B250-AB43636A079D}" installsource="taggedmi" requestid="{4A86BA68-A203-4A36-8828-A1430AF58F45}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{8A69D345-D564-463C-AFF1-A69D9E530F96}" version="" nextversion="" lang="en" brand="CHMB" client="" installage="-1" iid="{21247E6F-D9B5-2BDB-08EC-CFCF0FB3788C}"><updatecheck/></app></request>
HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Date: Thu, 22 May 2014 16:43:32 GMT

Set-Cookie: c=ANcH4TKrj7LXuIEN6Q8zdKvxr7odaG8fwMPAjhdwWa5-WyEV_oiQimVnyATQcicLxqznR9ChmAh2mpxpf0zD-UgNMB5kWZGiLA

ETag: "02m8nGfdKqb9nxNW1XIiWUFacCI"

Content-Type: text/xml; charset=UTF-8

X-Daynum: 2698

X-Daystart: 35012

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic

Transfer-Encoding: chunked
437..<?xml version="1.0" encoding="UTF-8"?><response protocol
="3.0" server="prod"><daystart elapsed_days="2698" elapsed_secon
ds="35012"/><app appid="{8A69D345-D564-463C-AFF1-A69D9E530F96}" 
status="ok"><updatecheck status="ok"><urls><url code
base="hXXp://cache.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/
"/><url codebase="hXXp://VVV.google.com/dl/chrome/win/D49A779020
0F64CE/"/><url codebase="hXXps://dl.google.com/chrome/win/D49A77
90200F64CE/"/><url codebase="hXXp://dl.google.com/chrome/win/D49
A7790200F64CE/"/><url codebase="hXXp://google.com/dl/chrome/win/
D49A7790200F64CE/"/></urls><manifest version="35.0.1916.11
4"><packages><package fp="2.35.0.1916.114" hash="BFD4gUIxR
sRNJjewFw7LqqCZWh0=" name="35.0.1916.114_chrome_installer.exe" require
d="true" size="38382160"/></packages><actions><actio
n arguments="--multi-install --chrome --verbose-logging --do-not-launc
h-chrome" event="install" run="35.0.1916.114_chrome_installer.exe"/>
;<action Version="35.0.1916.114" event="postinstall" onsuccess="exi
tsilentlyonlaunchcmd"/></actions></manifest></update
check></app></response>..0..
<<< skipped >>>

POST /service/update2 HTTP/1.1

User-Agent: Google Update/1.3.21.111;winhttp

X-Last-HR: 0x80072f94

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: tools.google.com

Content-Length: 565

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.21.111" shell_version="1.3.21.103" ismachine="0" sessionid="{B52B1E18-BD56-411D-B250-AB43636A079D}" installsource="taggedmi" requestid="{192EB7DE-EC66-4E84-B41B-1D6CB0B2BBE7}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" version="" nextversion="1.3.21.111" lang="en" brand="CHMB" client="" iid="{21247E6F-D9B5-2BDB-08EC-CFCF0FB3788C}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0"/></app></request>
HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Date: Thu, 22 May 2014 16:43:31 GMT

Content-Type: text/xml; charset=UTF-8

X-Daynum: 2698

X-Daystart: 35011

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic

Transfer-Encoding: chunked
e9..<?xml version="1.0" encoding="UTF-8"?><response protocol=
"3.0" server="prod"><daystart elapsed_days="2698" elapsed_second
s="35011"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" s
tatus="ok"><event status="ok"/></app></response>.
.0..HTTP/1.1 200 OK..Cache-Control: no-cache, no-store, max-age=0, mus
t-revalidate..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT
..Date: Thu, 22 May 2014 16:43:31 GMT..Content-Type: text/xml; charset
=UTF-8..X-Daynum: 2698..X-Daystart: 35011..X-Content-Type-Options: nos
niff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Se
rver: GSE..Alternate-Protocol: 80:quic..Transfer-Encoding: chunked..e9
..<?xml version="1.0" encoding="UTF-8"?><response protocol="3
.0" server="prod"><daystart elapsed_days="2698" elapsed_seconds=
"35011"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" sta
tus="ok"><event status="ok"/></app></response>..0
..

HEAD /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1 HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: r8---sn-bpb5oxu-3c2e.c.pack.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 38382160

Content-Type: application/x-msdos-program

Etag: "42f4f"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 15 May 2014 14:37:26 GMT

Last-Modified: Wed, 14 May 2014 15:41:00 GMT

Connection: keep-alive

Alternate-Protocol: 80:quic
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 38382160..Conte
nt-Type: application/x-msdos-program..Etag: "42f4f"..Server: downloads
..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGI
N..X-Xss-Protection: 1; mode=block..Date: Thu, 15 May 2014 14:37:26 GM
T..Last-Modified: Wed, 14 May 2014 15:41:00 GMT..Connection: keep-aliv
e..Alternate-Protocol: 80:quic......


GET /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1 HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: r8---sn-bpb5oxu-3c2e.c.pack.google.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 38382160

Content-Type: application/x-msdos-program

Etag: "42f4f"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 15 May 2014 14:37:26 GMT

Last-Modified: Wed, 14 May 2014 15:41:00 GMT

Connection: keep-alive

Alternate-Protocol: 80:quic
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......E.....s...s.
..s.......s...r.3.s.&~....s.&~....s...s...s.&~....s.Rich..s...........
..............PE..L.....rS.................&...DI......,.......@....@.
..........................I.....YCJ...................................
..T0..P....P..\BI..........nI.P<...................................
........................................................text....%.....
..&.................. ..`.data........@[email protected]
...\BI..P...DI..*..............@..@...................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................1...1...1..x1.......1.
..1...1...1...2...2...2..42..J2..V2..b2..p2...2...2...2...2...2...2...
2...3..&3..23..H3..^3..p3...3...3...3...3...3...3...3...3...4...4...4.
.>4..R4..n4...4...4...4...4...4...4.......4........................
rS........0...t...t.......{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.
F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.F.D.A.7.1.E.6.F.-.A.C.4.C.-.4.a.
0.0.-.8.B.7.0.-.9.9.5.8.A.6.8.9.0.6.B.F.}.....{.8.B.A.9.8.6.D.A.-.5.1.
0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.
<<< skipped >>>

HEAD /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: cache.pack.google.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Thu, 22 May 2014 16:43:37 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 584

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic
HTTP/1.1 302 Found..Date: Thu, 22 May 2014 16:43:37 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.c
om/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.e
xe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1
&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=
7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6D
F0BA7AD0446&key=cms1..Content-Type: text/html; charset=UTF-8..Server: 
ClientMapServer..Content-Length: 584..X-XSS-Protection: 1; mode=block.
.X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic......


GET /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: cache.pack.google.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Thu, 22 May 2014 16:43:41 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 584

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/ch
rome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redir
ect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&
ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=exp
ire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3
210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1">here</A>
;...</BODY></HTML>..HTTP/1.1 302 Found..Date: Thu, 22 May 
2014 16:43:41 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:0
0 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r8--
-sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/
35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&
ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&spa
rams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F
33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1..Content-Type: te
xt/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 584..
X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternat
e-Protocol: 80:quic..<HTML><HEAD><meta http-equiv="cont
ent-type" content="text/html;charset=utf-8">.<TITLE>302 Moved
</TITLE></HEAD><BODY>.<H1>302 Moved</H1
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

.rsrc

C:\Windows\SysWOW64\msvbvm60.dll\3

iphlpapi.dll

GetExtendedTcpTable

SetTcpEntry

getTCPConnections

dnsapi.dll

kernel32.dll

ws2_32.dll

NTDLL.DLL

VBA6.DLL

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

.text

`.data

KERNEL32.DLL

MSVBVM60.DLL

ilmioip.it

http://www.ilmioip.it

avp.exe

127.0.0.1

update.exe

avast.setup

avgmfapx.exe

guardxup.exe

mcupdmgr.exe

FPAVServer.exe

drwupsrv.exe

BullGuardUpdate.exe

fshoster32.exe

Upgrader.exe

ALUpdate.exe

62.67.184

84.233.19

89.202.14

93.184.71

89.202.15

89.202.149

178.77.12

92.51.171

80.237.15

46.163.12

83.169.60

217.115.1

ekrn.exe

AVKProxy.exe

WinHttp.WinHttpRequest.5.1

WatchIt!.exe

svchost.exe_868_rwx_00400000_0000C000:

.rsrc

C:\Windows\SysWOW64\msvbvm60.dll\3

iphlpapi.dll

GetExtendedTcpTable

SetTcpEntry

getTCPConnections

dnsapi.dll

kernel32.dll

ws2_32.dll

NTDLL.DLL

VBA6.DLL

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

.text

`.data

KERNEL32.DLL

MSVBVM60.DLL

ilmioip.it

http://www.ilmioip.it

avp.exe

127.0.0.1

update.exe

avast.setup

avgmfapx.exe

guardxup.exe

mcupdmgr.exe

FPAVServer.exe

drwupsrv.exe

BullGuardUpdate.exe

fshoster32.exe

Upgrader.exe

ALUpdate.exe

62.67.184

84.233.19

89.202.14

93.184.71

89.202.15

89.202.149

178.77.12

92.51.171

80.237.15

46.163.12

83.169.60

217.115.1

ekrn.exe

AVKProxy.exe

WinHttp.WinHttpRequest.5.1

WatchIt!.exe

svchost.exe_1180:

.rsrc

C:\Windows\SysWOW64\msvbvm60.dll\3

iphlpapi.dll

GetExtendedTcpTable

SetTcpEntry

getTCPConnections

dnsapi.dll

kernel32.dll

ws2_32.dll

NTDLL.DLL

VBA6.DLL

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

.text

`.data

KERNEL32.DLL

MSVBVM60.DLL

ilmioip.it

http://www.ilmioip.it

avp.exe

127.0.0.1

update.exe

avast.setup

avgmfapx.exe

guardxup.exe

mcupdmgr.exe

FPAVServer.exe

drwupsrv.exe

BullGuardUpdate.exe

fshoster32.exe

Upgrader.exe

ALUpdate.exe

62.67.184

84.233.19

89.202.14

93.184.71

89.202.15

89.202.149

178.77.12

92.51.171

80.237.15

46.163.12

83.169.60

217.115.1

ekrn.exe

AVKProxy.exe

WinHttp.WinHttpRequest.5.1

WatchIt!.exe

svchost.exe_1180_rwx_00400000_0000C000:

.rsrc

C:\Windows\SysWOW64\msvbvm60.dll\3

iphlpapi.dll

GetExtendedTcpTable

SetTcpEntry

getTCPConnections

dnsapi.dll

kernel32.dll

ws2_32.dll

NTDLL.DLL

VBA6.DLL

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

.text

`.data

KERNEL32.DLL

MSVBVM60.DLL

ilmioip.it

http://www.ilmioip.it

avp.exe

127.0.0.1

update.exe

avast.setup

avgmfapx.exe

guardxup.exe

mcupdmgr.exe

FPAVServer.exe

drwupsrv.exe

BullGuardUpdate.exe

fshoster32.exe

Upgrader.exe

ALUpdate.exe

62.67.184

84.233.19

89.202.14

93.184.71

89.202.15

89.202.149

178.77.12

92.51.171

80.237.15

46.163.12

83.169.60

217.115.1

ekrn.exe

AVKProxy.exe

WinHttp.WinHttpRequest.5.1

WatchIt!.exe

svchost.exe_1480:

`.rsrc

DetectWindows

advapi32.dll

ntdll.dll

VBA6.DLL

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

shell32.dll

ShellExecuteEx

lz32.dll

.text

`.data

.rsrc

Svchost*1*|OFF|*appdata*Trion\*svchost.exe*

KERNEL32.DLL

MSVBVM60.DLL

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

WScript.Shell

explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Scripting.FileSystemObject

Explorer.exe,

a.exe

svchost.exe_1480_rwx_00400000_0000B000:

`.rsrc

DetectWindows

advapi32.dll

ntdll.dll

VBA6.DLL

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

shell32.dll

ShellExecuteEx

lz32.dll

.text

`.data

.rsrc

Svchost*1*|OFF|*appdata*Trion\*svchost.exe*

KERNEL32.DLL

MSVBVM60.DLL

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

WScript.Shell

explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Scripting.FileSystemObject

Explorer.exe,

a.exe

svchost.exe_328:

`.rsrc

WebHide

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

mswinsck.ocx

MSWinsockLib.Winsock

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

AddMsg

CHAT_ADDMSG

VBA6.DLL

C:\Windows\SysWow64\MSVBVM60.DLL\3

ws2_32.dll

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

03C:\Windows\SysWOW64\ieframe.oca

4^tmrTCP

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetDirectory

Http_DownloadFile

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

cmdShowfiles

msvbvm60.dll

tmrTCP

?8??8??8??8??8?

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

.text

`.data

.rsrc

.rsrch

KERNEL32.DLL

MSVBVM60.DLL

*\AH:\Blackshades Project\Blackshades NET\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

http\shell\open\command

127.0.0.1

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

ADVAPI32.dll

http://www.facebook.com/?ref=home

http://www.facebook.com

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

/stext mess.dat

abe2869f-9b47-4cd9-a358-c22904dba7f7

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

https://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

\rspad.dat

@*\AH:\Blackshades Project\Blackshades NET\server\server.vbp

svchost.exe_328_rwx_00400000_0007B000:

`.rsrc

WebHide

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

mswinsck.ocx

MSWinsockLib.Winsock

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

AddMsg

CHAT_ADDMSG

VBA6.DLL

C:\Windows\SysWow64\MSVBVM60.DLL\3

ws2_32.dll

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

03C:\Windows\SysWOW64\ieframe.oca

4^tmrTCP

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetDirectory

Http_DownloadFile

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

cmdShowfiles

msvbvm60.dll

tmrTCP

?8??8??8??8??8?

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

.text

`.data

.rsrc

.rsrch

KERNEL32.DLL

MSVBVM60.DLL

*\AH:\Blackshades Project\Blackshades NET\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

http\shell\open\command

127.0.0.1

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

ADVAPI32.dll

http://www.facebook.com/?ref=home

http://www.facebook.com

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

/stext mess.dat

abe2869f-9b47-4cd9-a358-c22904dba7f7

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

https://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

\rspad.dat

@*\AH:\Blackshades Project\Blackshades NET\server\server.vbp

A5OINK8SAER9Y.exe_1684:

.text

`.rdata

@.data

.rsrc

@.reloc

Invalid parameter passed to C runtime function.

mi_exe_stub.pdb

GetProcessHeap

KERNEL32.dll

msvcrt.dll

_acmdln

_amsg_exit

SHLWAPI.dll

ole32.dll

SHELL32.dll

USER32.dll

zcÁ

]".kaJ

0bc;%uU$

Í}X

h_%uT

76.jqx

`iXo%F

u4V%Sdk

-.OA@

8RsQl

p.nA3'

[.Wi]

C%xlZ&)$

2\.UI

`.AQ9.Y

Ëei

0w.ck2

eW.Xq

.xc*P

G.Nf8va

.KL@o

-~{%f

:?I2.yS

NC$%f?

Vj.SB

(l.Nb

6''oe-Z}@nz!

!.Ac-t

nr %c

#Q.xdEi

B,k

(y.Bnp

3uy%f

fv?%f

.HK_2R{8

3.Ou8t

M=-KMp}

$A.TaK

fcRT

--!.cr

Ush.BO

.ck-[~

/-k'.Rl

%Fj(qX

.Ih5lk

1%F]A

/oCmd

.gulh|

rxB%U

.QZ:ZdLfe

###7777_{

###____777

###````87{

GoogleUpdateSetup.exe

/%s %s /%s

Windows 2000 Service Pack 4

Windows 2000

lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi

m Windows 2000 Service Pack 4 nebo nov

ver Windows 2000 Service Pack 4 eller bedre.

r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h

Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.

Windows 2000 Service Pack 4:n tai uudemman.

cessite Windows

je Windows 2000 Service Pack 4-et vagy frissebb verzi

krefst Windows 2000

Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.

Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.

Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.

. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.

o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.

it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar

ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.

m Windows 2000 Service Pack 4 alebo nov

ver Windows 2000 Service Pack 4 eller b

kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras

Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej

uab rakendust Windows 2000 hoolduspakett 4 v

ama Windows

Windows 2000

u Windows 2000 G

Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.

. Windows 2000

Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.

o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.

n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.

1.3.21.111

GoogleUpdate.exe_316:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

kernel32.dll

GetProcessWindowStation

USER32.DLL

GoogleUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

###7777_{

###____777

###````87{

%Program Files%\GUMD.tmp\GoogleUpdate.exe

goopdate.dll

GoogleUpdate.exe

Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}

1.3.21.103

2007-2010

2007-2010

GoogleUpdate.exe_1812:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

kernel32.dll

GetProcessWindowStation

USER32.DLL

GoogleUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

###7777_{

###____777

###````87{

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

goopdate.dll

GoogleUpdate.exe

Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}

1.3.21.103

2007-2010

2007-2010

GoogleUpdate.exe_1308:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

kernel32.dll

GetProcessWindowStation

USER32.DLL

GoogleUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

###7777_{

###____777

###````87{

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

goopdate.dll

GoogleUpdate.exe

Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}

1.3.21.103

2007-2010

2007-2010

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   GoogleUpdate.exe:1308
   GoogleUpdate.exe:1988
   GoogleUpdate.exe:756
   A5OINK8SAER9Y.exe:1684
   %original file name%.exe:468
   

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_et.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_iw.dll (26 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en-GB.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateSetup.exe (5441 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ml.dll (31 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ur.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe (59 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sl.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_nl.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_gu.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_de.dll (31 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-BR.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ca.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_no.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ko.dll (23 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_mr.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fi.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es-419.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler64.exe (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_is.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_vi.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_tr.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ta.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sw.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (3361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_am.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_kn.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ms.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ja.dll (24 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fr.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hr.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es.dll (31 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-PT.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lv.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sv.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_uk.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateHelper.msi (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sk.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_it.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bn.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fa.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bg.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdate.dll (5873 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateBroker.exe (59 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ru.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ro.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pl.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_cs.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_el.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fil.dll (30 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_da.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sr.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-TW.dll (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psmachine.dll (673 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_th.dll (27 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_te.dll (29 bytes)
   %WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (970 bytes)
   %WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (918 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-CN.dll (21 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hi.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lt.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_id.dll (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hu.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ar.dll (26 bytes)
   %Program Files%\GUMD.tmp\GoogleUpdateBroker.exe (59 bytes)
   %Program Files%\GUMD.tmp\goopdateres_gu.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_sv.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_fil.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_hr.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_kn.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_th.dll (27 bytes)
   %Program Files%\GUMD.tmp\goopdateres_sl.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_fr.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_pt-BR.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_zh-TW.dll (21 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ar.dll (26 bytes)
   %Program Files%\GUMD.tmp\goopdateres_en.dll (27 bytes)
   %Program Files%\GUMD.tmp\goopdateres_lt.dll (28 bytes)
   %Program Files%\GUMD.tmp\psmachine.dll (157 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ur.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_it.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_uk.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_no.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_am.dll (25 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ja.dll (24 bytes)
   %Program Files%\GUMD.tmp\goopdateres_mr.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_hi.dll (29 bytes)
   %Program Files%\GUMD.tmp\GoogleUpdateOnDemand.exe (59 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ml.dll (31 bytes)
   %Program Files%\GUMD.tmp\goopdateres_cs.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ta.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ms.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ko.dll (23 bytes)
   %Program Files%\GUMD.tmp\goopdateres_te.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_pl.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_de.dll (31 bytes)
   %Program Files%\GUMD.tmp\GoogleUpdate.exe (116 bytes)
   %Program Files%\GUMD.tmp\goopdateres_es.dll (31 bytes)
   %Program Files%\GUMD.tmp\psuser.dll (157 bytes)
   %Program Files%\GUMD.tmp\goopdateres_bg.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_bn.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ru.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_el.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_is.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_sk.dll (29 bytes)
   %Program Files%\GUMD.tmp\GoogleCrashHandler.exe (180 bytes)
   %Program Files%\GUMD.tmp\goopdateres_hu.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_et.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_id.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_es-419.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_da.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_lv.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ca.dll (29 bytes)
   %Program Files%\GUMD.tmp\GoogleUpdateHelper.msi (25 bytes)
   %Program Files%\GUMD.tmp\goopdateres_iw.dll (26 bytes)
   %Program Files%\GUMD.tmp\goopdateres_en-GB.dll (28 bytes)
   %Program Files%\GUMD.tmp\goopdateres_zh-CN.dll (21 bytes)
   %Program Files%\GUMD.tmp\GoogleUpdateSetup.exe (5441 bytes)
   %Program Files%\GUMD.tmp\goopdateres_sr.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdate.dll (1990 bytes)
   %Program Files%\GUMD.tmp\goopdateres_vi.dll (28 bytes)
   %Program Files%\GUTE.tmp (25429 bytes)
   %Program Files%\GUMD.tmp\npGoogleUpdate3.dll (838 bytes)
   %Program Files%\GUMD.tmp\goopdateres_ro.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_nl.dll (30 bytes)
   %Program Files%\GUMD.tmp\goopdateres_fa.dll (27 bytes)
   %Program Files%\GUMD.tmp\goopdateres_tr.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_fi.dll (29 bytes)
   %Program Files%\GUMD.tmp\GoogleCrashHandler64.exe (233 bytes)
   %Program Files%\GUMD.tmp\goopdateres_pt-PT.dll (29 bytes)
   %Program Files%\GUMD.tmp\goopdateres_sw.dll (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.bat (158 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.txt (158 bytes)
   %Documents and Settings%\%current user%\Application Data\Trion\svchost.exe (17563 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Google Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.