Worm.Win32.AutoItGen_ce77711973

by malwarelabrobot on December 16th, 2014 in Malware Descriptions.

WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ce77711973deeca12d946693d81266a6
SHA1: c46f1c5cbc1462154d3bd9679ff587dc7b3588c0
SHA256: d3ef7d45c8a7dad2fc0db60e13a9e18ab0ec11f5e9f803d67b986b3294c3a5a5
SSDeep: 98304:myviZ9nx34zC6mCFwNR8bN9a5CppqVsNUC:mkiznx34flKqNAMoqNd
Size: 3369920 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Viber Media Inc
Created at: 2007-11-27 16:14:43
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

TPAutoConnSvc.exe:1844
InfDefaultInstall.exe:2016
regsvr32.exe:2440
runonce.exe:2388
runonce.exe:1412
setup.exe:1960

The Worm injects its code into the following process(es):

%original file name%.exe:212

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process InfDefaultInstall.exe:2016 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\SysWOW64\SET8F.tmp (1281 bytes)
C:\Windows\SysWOW64\SETA0.tmp (7809 bytes)
C:\Windows\SysWOW64\SETA1.tmp (2321 bytes)
C:\Windows\inf\SET5E.tmp (2 bytes)
C:\Windows\SysWOW64\SET8E.tmp (4984 bytes)

The process regsvr32.exe:2440 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\SysWOW64\MPG4DS32.AX (245 bytes)

The process %original file name%.exe:212 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files% (x86)\Your Camera\Audio_ang\Kam1.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\exceptions.$$A (10 bytes)
%Program Files% (x86)\Your Camera\setup.$$A (16341 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam3.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\_tkinter.$$A (707 bytes)
%Program Files% (x86)\Your Camera\YourCamera.exe (291 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam13.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam11.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\WWW\tlo_dvr_mini.$$A (3 bytes)
%Program Files% (x86)\Your Camera\Java application for mobile\YourCamera.$$A (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\User's Guide.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Konwerter\zlib.$$A (2543 bytes)
%Program Files% (x86)\Your Camera\Konwerter\python15.$$A (10504 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam15.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam10.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Uninstall.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam14.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\setup.exe (16 bytes)
%Program Files% (x86)\Your Camera\Konwerter\wbmpconv.$$A (16040 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam16.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\tk80.$$A (13968 bytes)
%Program Files% (x86)\Your Camera\Uninstal.exe (104947 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam8.$$A (2104 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Your Camera.lnk (1 bytes)
%Program Files% (x86)\Your Camera\Uninstal.$$A (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Your Camera.lnk (1 bytes)
%Program Files% (x86)\Your Camera\User's guide.$$A (12487 bytes)
%Program Files% (x86)\Your Camera\YourCamera.$$A (51548 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam2.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\_imaging.$$A (6040 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam12.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Konwerter\tcl80.$$A (7168 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam4.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam6.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam9.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam7.$$A (2104 bytes)
%Program Files% (x86)\Your Camera\Audio_ang\Kam5.$$A (2104 bytes)

The process runonce.exe:1412 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)

Registry activity

The process TPAutoConnSvc.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:3" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:3]

The process InfDefaultInstall.exe:2016 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.I420" = "iyuv_32.dll"
"midimapper" = "midimap.dll"
"msacm.msg711" = "msg711.acm"
"vidc.cvid" = "iccvid.dll"

[HKLM\System\CurrentControlSet\Control\MediaResources\icm\vidc.mp43]
"Description" = "nAVI Vx3 MPEG-4 Codec"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"wave" = "wdmaud.drv"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DIVXCodec]
"DisplayName" = "nAVI Vx3 MPEG-4 Codec"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.yuy2" = "msyuv.dll"
"vidc.mrle" = "msrle32.dll"
"midi" = "wdmaud.drv"
"wavemapper" = "msacm32.drv"

[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.msvc" = "msvidc32.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"(Default)" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.yvyu" = "msyuv.dll"
"msacm.imaadpcm" = "imaadp32.acm"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.uyvy" = "msyuv.dll"
"aux" = "wdmaud.drv"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DIVXCodec]
"UninstallString" = "C:\Windows\rundll.exe setupx.dll,InstallHinfSection Remove_nAVI 132 C:\Windows\INF\divx.inf"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mp43" = "mpg4c32.dll"
"msacm.msgsm610" = "msgsm32.acm"
"Mixer" = "wdmaud.drv"

[HKLM\System\CurrentControlSet\Control\MediaResources\icm\vidc.mp43]
"driver" = "mpg4c32.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.iyuv" = "iyuv_32.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\setup]
"DisplayName" = "setup (Remove only)"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"msacm.msadpcm" = "msadp32.acm"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\setup]
"UninstallString" = "C:\Windows\rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\setup.inf,DefaultUninstall"

[HKLM\System\CurrentControlSet\Control\MediaResources\icm\vidc.mp43]
"FriendlyName" = "nAVI Vx3 MPEG-4 Codec"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"Wallpaper" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.yvu9" = "tsbyuv.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"TileWallpaper" = "0"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup]
"Registering nAVI Vx3 MPEG-4 Codec" = "C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\mpg4ds32.ax"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper" = "runonce"

"GrpConv" = "grpconv -o"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.i420"
"msacm.msgsm610"
"midimapper"
"msacm.msg711"
"mixer"
"msacm.msadpcm"
"vidc.msvc"
"vidc.cvid"
"vidc.yvyu"
"aux"
"msacm.imaadpcm"
"vidc.uyvy"
"wave"
"vidc.yvu9"
"vidc.yuy2"
"vidc.mrle"
"vidc.iyuv"
"wavemapper"
"midi"

The process regsvr32.exe:2440 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\mpg4ds32.ax"

[HKCR\Wow6432Node\CLSID\{075BB8A1-B7D8-11D2-A1C6-00609778EA66}]
"(Default)" = "Microcrap MPEG-4 Video Decompressor About Page"

[HKCR\Wow6432Node\CLSID\{075BB8A1-B7D8-11D2-A1C6-00609778EA66}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\mpg4ds32.ax"

[HKCR\Wow6432Node\CLSID\{598EBA02-B49A-11D2-A1C1-00609778EA66}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}]
"FilterData" = "02 00 00 00 00 00 80 00 02 00 00 00 00 00 00 00"

[HKCR\Wow6432Node\CLSID\{598EBA02-B49A-11D2-A1C1-00609778EA66}\InprocServer32]
"(Default)" = "C:\Windows\SysWow64\mpg4ds32.ax"

[HKCR\Wow6432Node\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{598EBA02-B49A-11D2-A1C1-00609778EA66}]
"(Default)" = "Microcrap MPEG-4 Video Decompressor Property page"

[HKCR\Wow6432Node\CLSID\{075BB8A1-B7D8-11D2-A1C6-00609778EA66}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}]
"FriendlyName" = "Microcrap MPEG-4 Video Decompressor"
"CLSID" = "{82CCD3E0-F71A-11D0-9FE5-00609778EA66}"

[HKCR\Wow6432Node\CLSID\{82CCD3E0-F71A-11D0-9FE5-00609778EA66}]
"(Default)" = "Microcrap MPEG-4 Video Decompressor"

The process %original file name%.exe:212 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Your Camera]
"DisplayName" = "Your Camera"
"UninstallString" = "%Program Files% (x86)\Your Camera\Uninstal.exe"

The process runonce.exe:2388 makes changes in the system registry.
The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup]

The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"WarnTimeChanged"

The process runonce.exe:1412 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

The Worm disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper"

"GrpConv"

The process setup.exe:1960 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
7b993b3d92615c5f00e7f60817589fa2 c:\Program Files (x86)\Your Camera\Konwerter\_imaging.dll
68fa6e397d02f943e3fba9fd37fd95ce c:\Program Files (x86)\Your Camera\Konwerter\_tkinter.pyd
b4d91220658a37890b2c31630d303c14 c:\Program Files (x86)\Your Camera\Konwerter\python15.dll
40bf108c70798eeceb2fd6a8fd45424b c:\Program Files (x86)\Your Camera\Konwerter\tcl80.dll
58fc4540e4b0d8839f9b4e3591a5719d c:\Program Files (x86)\Your Camera\Konwerter\tk80.dll
618f3bfeab6c8a2634cdc142b5875e44 c:\Program Files (x86)\Your Camera\Konwerter\wbmpconv.exe
571a2db9cd16dcf77e6016754edaa4ea c:\Program Files (x86)\Your Camera\Konwerter\zlib.pyd
e60617324ca9729ef191dc98f9fdbc1e c:\Program Files (x86)\Your Camera\Uninstal.exe
6e08bbc98f423b054177f474e060836d c:\Program Files (x86)\Your Camera\YourCamera.exe
fa07ca8837b7fe9ca6d1978bad6d260d c:\Program Files (x86)\Your Camera\setup.exe
1c1e13493b46c3f79880a5dc37414424 c:\Windows\SysWOW64\MPG4C32.DLL
2b6ae88abfa78beb6e55e721cd632361 c:\Windows\SysWOW64\MPG4DS32.AX
1c1e13493b46c3f79880a5dc37414424 c:\Windows\System32\MPG4C32.DLL
2b6ae88abfa78beb6e55e721cd632361 c:\Windows\System32\MPG4DS32.AX

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Your Camera Install Program
Product Version: 2, 0, 0, 31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2, 0, 0, 31
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 90112 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 94208 57344 56832 5.48311 f9849246c739e98d2072e551bae77523
.rsrc 151552 12288 11776 3.34702 22d21d3c9e8ad1acce8e77703b4bf87d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2ce2d2aa7691b7eb
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 87.245.202.24
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.202.16
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2ce2d2aa7691b7eb 87.245.202.24
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.202.16


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2ce2d2aa7691b7eb HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Mon, 15 Dec 2014 17:00:49 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{..."[email protected];
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#([email protected]..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|[email protected] 
[email protected][email protected]..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=457404, public, no-transform, must-revalidate
Last-Modified: Sun, 14 Dec 2014 00:03:56 GMT
Expires: Sun, 21 Dec 2014 00:03:56 GMT
Date: Mon, 15 Dec 2014 17:02:11 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2014121
4000356Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20141214000356Z....20141221000356Z0...*.H........
........t.(:....I.m....0..C...1...5.....3.E._.'=.B...T0...&KN9..[.....
'......F....>..o"9T...Jn......]..K....`$_......Rb....K*...ln......F
.>/..^.V...]..]..a..2..QO .Jw>....4.Q6..;..S...%4......h.v%...VM
......}...on.=,...6..._..\p@4..<R...Pm..XkK..f7U.-...a....2B....0..
.0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U.
...VeriSign, Inc.1705..U....Class 3 Public Primary Certification Autho
rity0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symante
c Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Clas
s 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0....
......'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....
H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M..
.T..pS.p..^|o....S..v.).)[email protected]#qh...u1T.].G0.]
E...=._...... ........TE...Sa.s4........r...3.............0..0...U....
0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps
0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U..
......0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.....
........$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e....
...a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :
,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=434486, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:38 GMT
Expires: Sat, 20 Dec 2014 17:38:38 GMT
Date: Mon, 15 Dec 2014 17:02:16 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
3173838Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141213173838Z....20141220173838Z0...*.H........
........;....f...2H.:.v...h.n...1..N4.1..PppH[vj(....I..T.`..!.G..>
F.....OK..I.......U4.......qF3qe..'VB.n...X..#..."j:.?......... ..6{e.
_........l..|.....6...H.4z.Mw6....\.!..B..^A..e....;Gm.BqF.1...Y....L.
A...0.T...Tb...n.uC..3.$....^{[email protected]...........>...#0...0...0
..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of us
e at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Cod
e Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0
...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Term
s of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign C
lass 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0....
.....{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.
.........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG
.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l.
...(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=580578, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT
Expires: Mon, 22 Dec 2014 10:19:02 GMT
Date: Mon, 15 Dec 2014 17:02:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
5101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141215101902Z....20141222101902Z0...*.H........
.....A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e..
.....m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s.
..V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....
'...l..e....b.(q..CH. .........T.M.d.:[email protected]!..-,....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U...



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:01:36 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified:
 Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7f
fcf1:0"..Server: Microsoft-IIS/8.5..VTag: 791936916300000000..P3P: CP=
"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo
 CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-
Length: 554..Cache-Control: max-age=900..Date: Mon, 15 Dec 2014 17:01:
36 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U...
.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpora
tion1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206
Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W
0... .....7......150210174206Z0...*.H................].`...D..9.>LO
.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.....
....:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&.....
......<7fS$..........t<X)%.b([email protected]... ,...K\.
<<< skipped >>>


GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Mon, 15 Dec 2014 17:02:22 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Mon, 15 Dec 2014 17:02:22 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791939326400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:00:55 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..
150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822
Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G....
....t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...O
W~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..
../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.
$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....d
I2.#...h.Y.._e........H.%2.r.w..M.(~...W.{[email protected].^o]...K....f
[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@
.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)HTTP/1.1 200
 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 20
14 05:05:32 GMT..Accept-Ranges: bytes..ETag: "a2f3ff97eeecf1:0"..Serve
r: Microsoft-IIS/8.5..VTag: 791939326400000000..P3P: CP="ALL IND DSP C
OR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT N
AV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..C
ache-Control: max-age=900..Date: Mon, 15 Dec 2014 17:00:55 GMT..Connec
tion: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0
.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authorit
y..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...
U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... ..
<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
Accept-Ranges: bytes
ETag: "3e1c83923e1cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438466244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:01:01 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141005213147Z..150104095147Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......20... .....7......15010
3214147Z0...*.H.................C>....... ..3yv..N...Q...&..U...u(.
.8.2.,.K.r.M..m0..BdE..(@.bu//J.......b...H.Z...B..7zS.>......G....
{..C..}p.......9d..Q.E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ
...'.0.6...o. ..(.......1..TU[..<..|F.>x..j.....xA2....b.'..{.t.
H......A...@.{{ip..HTTP/1.1 200 OK..Content-Type: application/pkix-crl
..Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT..Accept-Ranges: bytes..
ETag: "3e1c83923e1cf1:0"..Server: Microsoft-IIS/8.0..VTag: 43846624480
0000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD 
TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: 
ASP.NET..Content-Length: 561..Cache-Control: max-age=900..Date: Mon, 1
5 Dec 2014 17:01:01 GMT..Connection: keep-alive..0..-0......0...*.H...
.....0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U...
.Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..1
41005213147Z..150104095147Z._0]0...U.#..0.......p............<.J0..
. .....7.......0...U......20... .....7......150103214147Z0...*.H......
...........C>....... ..3yv..N...Q...&..U...u(..8.2.,.K.r.M..m0..BdE
..(@.bu//J.......b...H.Z...B..7zS.>......G....{..C..}p.......9d..Q.
E/.N......fM.._A{7RI*.....t.B...d..>w'.. ..0xJ...'.0.6...o. ..(
<<< skipped >>>

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
Accept-Ranges: bytes
ETag: "58cddbea90dfcf1:0"
Server: Microsoft-IIS/8.5
VTag: 279619316300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Mon, 15 Dec 2014 17:01:06 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141003211553Z..150102093553Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......00... .....7......150101212553Z0...*.
H.............:...h:O..9..a.M8.}*.........A....f......SG....(...g...&g
t;.!.4o7P....O...`x.h.W.F..x.9...1....C.......5..9..p ....1 ........$.
.P.......?.6...2.....(.."C1aF..B....I.V.u.4=Cs....~d5X..R...BRo.......
.....1Q-b.... ..P.M/SfvX..l..Mm.j9..A|.q.W=...Wy.Y]<....._!.../..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=434323, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:40 GMT
Expires: Sat, 20 Dec 2014 17:38:40 GMT
Date: Mon, 15 Dec 2014 17:02:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
3173840Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20141213173840Z....20141220173840Z0...*.H........
.....!..d..........w [7*[email protected]....;5..D....W1.....d...
.oj....c....R...&....6[._.?..../...(h.......&.C............kL$....|.h$
.A.MJ....=%....7.....b....Z.g.W.2.6.t...".....4.4......Y.....,.'=m..#)
.E_..}.E.L`. ...O....Ruc1:..=.,.$.Sk.is...'K.....PI...#0...0...0......
....<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{
(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.......
...p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}..
.r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n.
.i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Mon, 15 Dec 2014 17:01:42 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=561100, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT
Expires: Mon, 22 Dec 2014 04:54:07 GMT
Date: Mon, 15 Dec 2014 17:02:28 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201412
15045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. 
..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.
mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....
[email protected]....)>..Z..`$.p9.E..p...y..;4.n
^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|....
.Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U..
..VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisig
n.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140
428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 20
04 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.
....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l
.....f..;]s!.\"v...|....][email protected]. ..W..
..n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....&l
t;..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%.
.0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E..
..0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.sym
cb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>
q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..w
o......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_212:

.rsrc
zhXXp://w.clic
kteam.com
%S<:W
zhXXp://VVV.clickteam.com
D$%S<:W
.clit/
.clit
(hXXp://VVV.clickteam.com/pub
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
inflate 1.1.3 Copyright 1995-1998 Mark Adler
__MSVCRT_HEAP_SELECT
user32.dll
Software\Microsoft\Windows\CurrentVersion
KERNEL32.DLL
hXXps://
hXXp://
uxtheme.dll
1.1.3
msiexec
#Windows#
%s "%s"
%s%3.3d
-q "%s"
oleaut32.dll
-s "%s"
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
\WININIT.INI
/B%d /DEL
_inst%d.exe
rundll32 desk.cpl,InstallScreenSaver %s
RICHED32.DLL
RICHED20.DLL
c:\%original file name%.exe
GetCPInfo
WinExec
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
ShellExecuteA
ExitWindowsEx
.text
`.rdata
@.data
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
ole32.dll
SHELL32.dll
USER32.dll
VERSION.dll
2, 0, 0, 31

%original file name%.exe_212_rwx_00401000_00023000:

zhXXp://VVV.clickteam.com
D$%S<:W
.clit/
.clit
(hXXp://VVV.clickteam.com/pub
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
inflate 1.1.3 Copyright 1995-1998 Mark Adler
__MSVCRT_HEAP_SELECT
user32.dll
Software\Microsoft\Windows\CurrentVersion
KERNEL32.DLL
hXXps://
hXXp://
uxtheme.dll
1.1.3
msiexec
#Windows#
%s "%s"
%s%3.3d
-q "%s"
oleaut32.dll
-s "%s"
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
\WININIT.INI
/B%d /DEL
_inst%d.exe
rundll32 desk.cpl,InstallScreenSaver %s
RICHED32.DLL
RICHED20.DLL
c:\%original file name%.exe
GetCPInfo
WinExec
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegOpenKeyExA
ShellExecuteA
ExitWindowsEx
.text
`.rdata
@.data
.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TPAutoConnSvc.exe:1844
    InfDefaultInstall.exe:2016
    regsvr32.exe:2440
    runonce.exe:2388
    runonce.exe:1412
    setup.exe:1960

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Windows\SysWOW64\SET8F.tmp (1281 bytes)
    C:\Windows\SysWOW64\SETA0.tmp (7809 bytes)
    C:\Windows\SysWOW64\SETA1.tmp (2321 bytes)
    C:\Windows\inf\SET5E.tmp (2 bytes)
    C:\Windows\SysWOW64\SET8E.tmp (4984 bytes)
    C:\Windows\SysWOW64\MPG4DS32.AX (245 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam1.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\exceptions.$$A (10 bytes)
    %Program Files% (x86)\Your Camera\setup.$$A (16341 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam3.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\_tkinter.$$A (707 bytes)
    %Program Files% (x86)\Your Camera\YourCamera.exe (291 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam13.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam11.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\WWW\tlo_dvr_mini.$$A (3 bytes)
    %Program Files% (x86)\Your Camera\Java application for mobile\YourCamera.$$A (998 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\User's Guide.lnk (1 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\zlib.$$A (2543 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\python15.$$A (10504 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam15.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam10.$$A (2104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Uninstall.lnk (1 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam14.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\setup.exe (16 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\wbmpconv.$$A (16040 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam16.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\tk80.$$A (13968 bytes)
    %Program Files% (x86)\Your Camera\Uninstal.exe (104947 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam8.$$A (2104 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\Your Camera.lnk (1 bytes)
    %Program Files% (x86)\Your Camera\Uninstal.$$A (1921 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Camera\Your Camera.lnk (1 bytes)
    %Program Files% (x86)\Your Camera\User's guide.$$A (12487 bytes)
    %Program Files% (x86)\Your Camera\YourCamera.$$A (51548 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam2.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\_imaging.$$A (6040 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam12.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Konwerter\tcl80.$$A (7168 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam4.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam6.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam9.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam7.$$A (2104 bytes)
    %Program Files% (x86)\Your Camera\Audio_ang\Kam5.$$A (2104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup]
    "Registering nAVI Vx3 MPEG-4 Codec" = "C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\mpg4ds32.ax"

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "Wrapper" = "runonce"

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv" = "grpconv -o"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now