Worm.Win32.Autorun.VB.1_d3aca8d8c6
Win32.Lurka.A (BitDefender), Virus:Win32/Lurka.A (Microsoft), Trojan.Win32.Patched.lz (Kaspersky), Virus.Win32.Lurka.a (v) (VIPRE), Win32.HLLW.Autoruner.33600 (DrWeb), Virus.Worm.SuspectCRC!IK (Emsisoft), W32/Autorun.worm.aa (McAfee), W32.Lurkasys.A!inf (Symantec), Virus.Worm.SuspectCRC (Ikarus), Win32.Lurka.A (FSecure), BackDoor.Bifrose.EU (AVG), Win32:Inject-ABJ (Avast), PE_LURKER.A (TrendMicro), Worm.Win32.Autorun.VB.1.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: d3aca8d8c6f94abcbd11cf45f72872f2
SHA1: 5824f71795a3b2e7846662934febf1f0b8bc5e70
SHA256: 61eef06b30a16cbb56b3cf3a1f69a01169a4b0c0a9e84c8e5b70dc8773887e6c
SSDeep: 3072:Pkp8aqMnfymIiv1zwLvmtf2LkiCXl5/MMzu//ZaGD:PIqMn6mH1zGgxu/xzD
Size: 122880 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1983-11-17 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
%original file name%.exe:1180
The Worm injects its code into the following process(es):
system.exe:1556
userinit.exe:1760
File activity
The process %original file name%.exe:1180 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\userinit.exe (113 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DFF3C7.tmp (0 bytes)
The process userinit.exe:1760 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%WinDir%\kdcoms.dll (44 bytes)
%System%\system.exe (113 bytes)
Registry activity
The process %original file name%.exe:1180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 17 13 D1 3E 8A D1 02 C6 87 69 34 8E A5 D9 00"
The process system.exe:1556 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F E5 D9 60 B3 7A 3F 84 A5 B3 40 A0 36 84 35 B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"
The process userinit.exe:1760 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 9B 91 98 BF 24 86 39 5A AB 58 9B 6E 93 FF 8A"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%WinDir%\userinit.exe"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 544 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | download.f-secure.com |
| 127.0.0.1 | download.avg.com |
| 127.0.0.1 | www.grisoft.cz |
| 127.0.0.1 | download.softpedia.com |
| 127.0.0.1 | www.bitdefender.co.uk |
| 127.0.0.1 | www.bitdefender.com |
| 127.0.0.1 | virusscan.jotti.org |
| 127.0.0.1 | bkav.com.vn |
| 127.0.0.1 | www.bkav.com.vn |
| 127.0.0.1 | download.com.vn |
| 127.0.0.1 | www.download.com.vn |
| 127.0.0.1 | 9down.com |
| 127.0.0.1 | www.9down.com |
| 127.0.0.1 | download.eset.com |
| 127.0.0.1 | www.download.com |
| 127.0.0.1 | www.symantec.com |
| 127.0.0.1 | www.bitdefender.com.vn |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | cmcinfosec.com |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1180
- Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%WinDir%\userinit.exe (113 bytes)
%WinDir%\kdcoms.dll (44 bytes)
%System%\system.exe (113 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
