MD5: 2c43996fbd61cecc16811fe431bf41eb
SHA1: e3bef6ce7850504adf7a622bf26918727d51886d
SHA256: 17ab365ef6345f546b06bd8e557b664600c6ca6493e426e0d09001f6987860d5
SSDeep: 12288:7K2mhAMJ/cPl0euoTcb9z21XYKchKB2LH7pJfiLLvX/WDujwrKPvOhlqO4xL:O2O/Gl004blfKcF7ri3vTjBPWhk3t
Size: 746936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Destiny Media
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

%original file name%.exe:1612

The Worm injects its code into the following process(es):

gfg.exe:2024
gfg.exe:1892

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process gfg.exe:2024 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\gfg.exe (5441 bytes)

The process gfg.exe:1892 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\Microsoft.net32\Microsoft.NET.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\23vr343232e3e3.dat (360 bytes)

The process %original file name%.exe:1612 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

The Worm deletes the following file(s):

Registry activity

The process gfg.exe:2024 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 22 C7 9A B5 44 DF D9 83 7D D7 60 02 76 AC AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"g" = "C:\DOCUME~1\"%CurrentUserName%"\g\gfg.exe"

The process gfg.exe:1892 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\XtremeRAT]
"Mutex" = "23vr343232e3e3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1327872748"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\23vr343232e3e3]
"ServerStarted" = "04/07/2014 13:06:28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "gfg.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 30 E6 73 61 D4 24 3B 62 A9 AB C1 EF 16 BE 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 E5 D5 87 B8 6C F0 BF F2 B8 27 EC AB E3 E1 C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:\Documents and Settings\"%CurrentUserName%"\g]
"gfg.exe" = "gfg"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
flexcop.no-ip.org	204.95.99.109

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN Win32/Xtrat.A Checkin

Traffic

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

s%j.Zf

8crtsu

:crts

crts

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

USERENV.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

%s (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 8, 1

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

D:\Documents and Settings\"%CurrentUserName%"\g\gfg.exe

:D:\Documents and Settings\"%CurrentUserName%"\g\gfg.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

gfg.exe_2024_rwx_01340000_00001000:

.rsrc

gfg.exe_1892:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

http://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

flexcop.no-ip.org

ftpuser

Microsoft.NET.exe

webcamstart|46|0|

Microsoft.net32

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ftp.ftpserver.com

D:\Documents and Settings\"%CurrentUserName%"\g\gfg.exe

gfg.exe_1892_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

http://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

flexcop.no-ip.org

ftpuser

Microsoft.NET.exe

webcamstart|46|0|

Microsoft.net32

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ftp.ftpserver.com

D:\Documents and Settings\"%CurrentUserName%"\g\gfg.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1612

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   C:\gfg.exe (5441 bytes)
   %WinDir%\Microsoft.net32\Microsoft.NET.exe (5441 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\23vr343232e3e3.dat (360 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   "g" = "C:\DOCUME~1\"%CurrentUserName%"\g\gfg.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.