Worm.Win32.Ainslot_VariantOfZeus_9ff4ab1084

by malwarelabrobot on April 17th, 2014 in Malware Descriptions.

Trojan.Win32.Inject.ffcq (Kaspersky), Trojan.Generic.KDV.899755 (B) (Emsisoft), Trojan.Generic.KDV.899755 (AdAware), Worm.Win32.Ainslot.VB.FD, mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9ff4ab108470b391e78ae0cf1ac11541
SHA1: c9bb58780a610180e798d2ce2697a0d00741ca0d
SHA256: 52838a70af87da3c7df1aaa12f10cc696d4e1c730df54352ac199dbdfe787707
SSDeep: 6144:H8mtRUoQhpTaUU4NNH/S4ouvtry5oSMgH4W8ocbf:cSMTaUnNN5oN59R/Qf
Size: 229142 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2013-03-14 19:53:09
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:1540
%original file name%.exe:2012
reg.exe:1976
reg.exe:2020
reg.exe:196
reg.exe:616
88529.exe:672

The Worm injects its code into the following process(es):

%original file name%.exe:680
88529.exe:1688

File activity

The process %original file name%.exe:680 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\88529.exe (198990 bytes)
%Documents and Settings%\%current user%\Application Data\Java (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\avgscrs[1].exe (278840 bytes)

Registry activity

The process %original file name%.exe:680 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{D7DCAA1F-17CB-BCC0-B80A-BAD165DB5A1B}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"I5NFMCGRKX" = "uokk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Active Setup\Installed Components\{D7DCAA1F-17CB-BCC0-B80A-BAD165DB5A1B}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"88529.exe" = "Johnrey Angolluan"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 8F 29 8E 3A AC DC 21 44 67 A1 E4 C3 05 BC 3F"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"I5NFMCGRKX" = "April 16, 2014"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process reg.exe:1976 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE AD 7B 35 3B B4 B3 F4 9D A4 AF A9 68 15 66 BC"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:2020 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 AD 9F 3C C0 4C 6A F8 27 93 3C 3A C3 B8 EA A0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\]
"%original file name%.exe" = "c:\\%original file name%.exe:*:Enabled:Windows Messanger"

The process reg.exe:196 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 07 00 CD B6 48 E2 4B 18 CF F2 DD 35 09 DF 84"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:616 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 5D E9 DD E8 4A 41 8E B3 7A A8 89 03 E5 BF 9C"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"4JP89JTS2R.exe" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe:*:Enabled:Windows Messanger"

The process 88529.exe:1688 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 80 E5 7E 53 E1 E5 50 3B 08 ED A5 B2 FC C9 1D"

The process 88529.exe:672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 7C 0A F8 D4 DF 9F FF CD 4F F4 3D F5 D1 7A 7B"

Dropped PE files

MD5 File path
bd66ed2ebba87e96dcb8de926c530359 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\88529.exe
bd66ed2ebba87e96dcb8de926c530359 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\avgscrs[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 4884 5120 3.95101 544ce9b3dfb5555adad35c73c64ed92c
.data 12288 24 512 0.127644 443d074ae3b8bd56a7bfa904d6a883db
.rdata 16384 480 512 3.49138 81e9872414cc5d9c3261c4d2709a1a8a
.bss 20480 3448 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 24576 1004 1024 3.00765 5ce8756d4398282aaf1bb26c14a74b4c
/4 28672 64 512 0.239287 89dfa4e93d68683179dee342df4b1715
/19 32768 776 1024 2.92037 b1c9b2f6a7d0da2bbc97386ce486ccd4
/35 36864 10158 10240 4.03294 c62204e2c01f5ed4512ca9eb36582afd
/47 49152 1311 1536 2.83941 e6ef4ad7a645f13a9ed4d3aba7396711
/61 53248 1025 1536 3.12479 dade3222b40ede1c0a6556e3a95c9e0e
/73 57344 536 1024 1.65692 6375e5544633eb2ba0bcf896363f0ec3
/86 61440 56 512 0.621308 00649871a50b07ce4a51930592548079
/97 65536 1477 1536 2.03454 9cd1ba980f09725c98d836f885763fe3
/108 69632 48 512 0.158541 8da6367e297d4042c5de684e0e9fdaa2
.rsrc 73728 400 512 3.97592 e2b3cb481b6e84d1ca6966bdfa9e3694
ivmn 77824 4096 512 0.678231 d900c542711a06a9b7ad8c6e655bf6a1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://api.ipinfodb.com/v2/ip_query_country.php?key=&timezone=off 192.187.109.60
hxxp://costumbresmexico.com/wp-includes/avgscrs.exe
hxxp://api.ipinfodb.com/v2/ip_query.php?key=&timezone=off
www.costumbresmexico.com 173.254.28.69
1zeroexe.no-ip.org 190.101.43.120
5noseqwa.no-ip.info 190.101.43.120


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN x0Proto Ping

Traffic

GET /wp-includes/avgscrs.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.costumbresmexico.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 16 Apr 2014 12:05:09 GMT
Server: Apache
Last-Modified: Tue, 15 Apr 2014 06:41:50 GMT
Accept-Ranges: bytes
Content-Length: 1404928
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....e.......................Rich....................PE..L...,.MS......
...........0...........W.......@....@.................................
|........................................-..(.........................
..................................................0... .......<....
........................text.... .......0.................. ..`.data..
.$....@.......@[email protected]............ ...P..............@
..@l.[J............MSVBVM60.DLL.......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>
%original file name%.exe_680:

`.rsrc
_WebHide
bss_server.usrReverseRelay
tmrWebHide
bss_server.Socket
bss_server.usrRelay
mswinsck.ocx
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
user32.dll
advapi32.dll
shell32.dll
kernel32.dll
avicap32.dll
advpack.dll
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
SHFileOperationA
CreatePipe
PSAPI.DLL
GetTcpTable
ExitWindowsEx
EnumWindows
WinInet.dll
DeleteUrlCacheEntryA
urlmon
URLDownloadToFileA
ShellExecuteA
keybd_event
AddMsg
CHAT_ADDMSG
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
olepro32.dll
GdiplusShutdown
RemotePort
LocalPort
WSOCK32.DLL
RegCloseKey
RegOpenKeyExA
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
UDPSocket
UDPFlood
ole32.dll
crypt32.dll
oleaut32.dll
RegOpenKeyA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
imgLoginPressed
imgLogin
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
gdi32.dll
FtpDownload
InternetOpenUrlA
FtpUpload
FtpGetFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpGetFileSize
FtpDeleteFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpGetDirectory
Http_DownloadFile
cmdShowfiles
msvbvm60.dll
tmrTCP
?8??8??8??8??8?
2>e%Xdq
uMsg
strMsg
MsgNum
AllMsgs
lngPort
URL_TARGET
Port
Password
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Occurs after a send operation has completed
.text
`.data
.rsrc
`.daW[
KERNEL32.DLL
MSVBVM60.DLL
zeroexe.no-ip.org
4JP89JTS2R.exe
Windows Defender
{D7DCAA1F-17CB-BCC0-B80A-BAD165DB5A1B}
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
PORT
TRANSFERPORT
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
ADVAPI32.dll
http://www.facebook.com/?ref=home
http://www.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\cmd.exe
\data.dat
\steam\steam.exe
nkey
dkey
regsvr32.exe
\pws_mail.bss
\pws_mess.bss
\pws_cdk.bss
\pws_ff.bss
\pws_chro.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
api.ipinfodb.com
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
Portable
WScript.Shell
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.jpg
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
Scripting.FileSystemObject
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
\mess.dat
/stext mail.dat
\mail.dat
/stext ffpw.dat
\ffpw.dat
Web Site
Password
/stext chro.dat
\chro.dat
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
127.0.0.1
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bhookpl.dll
bnfa.exe
drvloadn.dll
drvloadx.dll
VNCHooks.dll
xr4tdwa.exe
shutdown.exe
TCnRawKeyBoard
HuntHTTPDownload
autorun.inf
https://onlineeast#.bankofamerica.com
winlogon.exe
moz_logins
WEBCAMLIVE
explorer.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
notepad.exe
steam.exe
hl.exe
\rspad.dat

%original file name%.exe_680_rwx_00400000_0007B000:

`.rsrc
_WebHide
bss_server.usrReverseRelay
tmrWebHide
bss_server.Socket
bss_server.usrRelay
mswinsck.ocx
MSWinsockLib.Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
user32.dll
advapi32.dll
shell32.dll
kernel32.dll
avicap32.dll
advpack.dll
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardState
GetKeyState
SHFileOperationA
CreatePipe
PSAPI.DLL
GetTcpTable
ExitWindowsEx
EnumWindows
WinInet.dll
DeleteUrlCacheEntryA
urlmon
URLDownloadToFileA
ShellExecuteA
keybd_event
AddMsg
CHAT_ADDMSG
VBA6.DLL
C:\Windows\SysWow64\msvbvm60.dll\3
ws2_32.dll
olepro32.dll
GdiplusShutdown
RemotePort
LocalPort
WSOCK32.DLL
RegCloseKey
RegOpenKeyExA
ntdll.dll
C:\Windows\SysWOW64\ieframe.oca
6tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
UDPSocket
UDPFlood
ole32.dll
crypt32.dll
oleaut32.dll
RegOpenKeyA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
imgLoginPressed
imgLogin
RegCreateKeyA
RegDeleteKeyA
RegEnumKeyExA
gdi32.dll
FtpDownload
InternetOpenUrlA
FtpUpload
FtpGetFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpGetFileSize
FtpDeleteFileA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpGetDirectory
Http_DownloadFile
cmdShowfiles
msvbvm60.dll
tmrTCP
?8??8??8??8??8?
2>e%Xdq
uMsg
strMsg
MsgNum
AllMsgs
lngPort
URL_TARGET
Port
Password
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Occurs after a send operation has completed
.text
`.data
.rsrc
`.daW[
KERNEL32.DLL
MSVBVM60.DLL
zeroexe.no-ip.org
4JP89JTS2R.exe
Windows Defender
{D7DCAA1F-17CB-BCC0-B80A-BAD165DB5A1B}
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
PORT
TRANSFERPORT
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
ADVAPI32.dll
http://www.facebook.com/?ref=home
http://www.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\cmd.exe
\data.dat
\steam\steam.exe
nkey
dkey
regsvr32.exe
\pws_mail.bss
\pws_mess.bss
\pws_cdk.bss
\pws_ff.bss
\pws_chro.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
api.ipinfodb.com
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
Portable
WScript.Shell
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.jpg
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
Scripting.FileSystemObject
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
abe2869f-9b47-4cd9-a358-c22904dba7f7
/stext mess.dat
\mess.dat
/stext mail.dat
\mail.dat
/stext ffpw.dat
\ffpw.dat
Web Site
Password
/stext chro.dat
\chro.dat
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
http\shell\open\command
127.0.0.1
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bhookpl.dll
bnfa.exe
drvloadn.dll
drvloadx.dll
VNCHooks.dll
xr4tdwa.exe
shutdown.exe
TCnRawKeyBoard
HuntHTTPDownload
autorun.inf
https://onlineeast#.bankofamerica.com
winlogon.exe
moz_logins
WEBCAMLIVE
explorer.exe
\system32\userinit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
notepad.exe
steam.exe
hl.exe
\rspad.dat

88529.exe_1688:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
EInvalidOperation
u%CNu
%s[%d]
EInvalidGraphicOperation
ole32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMin(
ClientPortMaxl
Port@
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password(
Portl
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
TIdTCPClient`cD
IdTCPClient
BoundPortl
PortU
%s%.2d%s
1.0.4
%dx%d (RGB)
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
inflate 1.0.4 Copyright 1995-1996 Mark Adler
GetCPInfo
RegOpenKeyA
RegCloseKey
RegOpenKeyExA
ShellExecuteA
MsgWaitForMultipleObjects
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
KERNEL32.DLL
advapi32.dll
gdi32.dll
shell32.dll
user32.dll

88529.exe_1688_rwx_00400000_0006D000:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
EInvalidOperation
u%CNu
%s[%d]
EInvalidGraphicOperation
ole32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMin(
ClientPortMaxl
Port@
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password(
Portl
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
TIdTCPClient`cD
IdTCPClient
BoundPortl
PortU
%s%.2d%s
1.0.4
%dx%d (RGB)
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
inflate 1.0.4 Copyright 1995-1996 Mark Adler
GetCPInfo
RegOpenKeyA
RegCloseKey
RegOpenKeyExA
ShellExecuteA
MsgWaitForMultipleObjects
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
KERNEL32.DLL
advapi32.dll
gdi32.dll
shell32.dll
user32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1540
    %original file name%.exe:2012
    reg.exe:1976
    reg.exe:2020
    reg.exe:196
    reg.exe:616
    88529.exe:672

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\88529.exe (198990 bytes)
    %Documents and Settings%\%current user%\Application Data\Java (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\avgscrs[1].exe (278840 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender" = "%Documents and Settings%\%current user%\Application Data\4JP89JTS2R.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now