Worm.Win32.Dorkbot_1decd1d72d

by malwarelabrobot on July 15th, 2013 in Malware Descriptions.

Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Trojan.Win32.SuspectCRC!IK (Emsisoft), Trojan.Win32.IEDummy.FD, Worm.Win32.Dorkbot.FD, BankerGeneric.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, WormDorkbot.YR, GenericAutorunWorm.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericDNSBlocker.YR, GenericUDPFlooder.YR, GenericSYNFlooder.YR, GenericProxy.YR, GenericUSBInfector.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Flooder, Worm, Virus, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 1decd1d72d55ea2d9359efe15e4f05c5
SHA1: 36b0e2ab783d89239f3c26346b914b59abc994a9
SHA256: 98d08b8b12edcc414f2d29393a78977a7ca5d1e5eafe8ed2a97cda7ce08545ea
SSDeep: 3072:1XHJyazNtDmn8kV5sV/kfiTZsMEww6rBK0Oc6Bx LqlRSHtlXcYD0MP4ES6wVLlP:GqD26rMf7Bx X4AECLlIALjS4
Size: 283169 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SetupManager
Created at: 2011-06-12 13:04:32


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Worm creates the following process(es):

1decd1d72d55ea2d9359efe15e4f05c5.exe:364
1decd1d72d55ea2d9359efe15e4f05c5.exe:184
ckxqffnwnhdxynpy.exe:1340
1decd1d72d55ea2d9359efe15e4f05c5mgr.exe:1092

The Worm injects its code into the following process(es):

iexplore.exe:656
iexplore.exe:1716

File activity

The process 1decd1d72d55ea2d9359efe15e4f05c5.exe:364 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Xtkmkj.exe (1425 bytes)

The process 1decd1d72d55ea2d9359efe15e4f05c5.exe:184 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

C:\1decd1d72d55ea2d9359efe15e4f05c5mgr.exe (81 bytes)

The process ckxqffnwnhdxynpy.exe:1340 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

C:\DOCUMENTS AND SETTINGS (4 bytes)
%Program Files%\Wireshark\plugins\0.99.6a (4 bytes)
C:\ (4 bytes)
%Program Files%\Java\jre6\lib\deploy (4 bytes)
%Program Files%\Wireshark\dtds (4 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Program Files%\Java\jre6\lib (12 bytes)
C:\Perl (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM5.tmp (7385 bytes)
%WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM4.tmp (4545 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Program Files%\Java\jre6 (4 bytes)
%WinDir% (96 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
C:\$Directory (1364 bytes)
%Program Files%\Java\jre6\bin (400 bytes)
%System% (11992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rqbdgaea.sys (15 bytes)
%Program Files%\COMMON FILES (4 bytes)
\Device\Harddisk0\DR0 (85328 bytes)
C:\PROGRAM FILES (8 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (18934 bytes)
%Program Files%\Wireshark (16 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Program Files%\Wireshark\snmp\mibs (588 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (4 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rqbdgaea.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM4.tmp (0 bytes)

The process iexplore.exe:656 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\cyljsdca\kfdvddln.exe (601 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\kfdvddln.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\lgdnecqm.log (72 bytes)

The Worm deletes the following file(s):

%Program Files%\cyljsdca\px3.tmp (0 bytes)

The process iexplore.exe:1716 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

C:\Perl\html\bin\ptardiff.html (2459 bytes)
C:\Perl\html\bin\ap-user-guide.html (2166 bytes)
C:\Perl\html\bin\perlthanks.html (4107 bytes)
C:\Perl\html\bin\lwp-request.html (2859 bytes)
C:\Perl\html\bin\pwhich.html (3647 bytes)
C:\Perl\html\blank.html (2214 bytes)
C:\Perl\html\bin\dbiprof.html (2458 bytes)
C:\Perl\eg\PerlEx\bm.htm (3228 bytes)
C:\Perl\html\bin\nytprofhtml.html (2885 bytes)
C:\Perl\html\bin\instmodsh.html (2762 bytes)
C:\Perl\eg\PerlEx\benchmarks.htm (4251 bytes)
C:\Perl\html\changes.html (3039 bytes)
C:\Perl\html\bin\tkx-ed.html (2571 bytes)
C:\Perl\html\bin\lwp-mirror.html (1920 bytes)
C:\Perl\html\bin\enc2xs.html (4429 bytes)
C:\Perl\html\bin\ppm.html (2274 bytes)
C:\Perl\html\bin\exetype.html (2212 bytes)
C:\Perl\html\bin\pod2latex.html (2044 bytes)
C:\Perl\eg\PerlEx\benchtop.htm (2556 bytes)
C:\Perl\html\bin\ptar.html (2423 bytes)
C:\Perl\html\bin\reloc_perl.html (2464 bytes)
C:\Perl\bin\PerlMsg.dll (2744 bytes)
C:\Perl\eg\PerlEx\benchmain.htm (1434 bytes)
C:\Perl\html\bin\libnetcfg.html (2312 bytes)
C:\Perl\html\bin\pl2pm.html (2310 bytes)
C:\Perl\html\bin\pl2bat.html (1937 bytes)
C:\Perl\html\bin\runperl.html (1812 bytes)
C:\Perl\html\bin\xsubpp.html (1548 bytes)
C:\Perl\html\bin\h2xs.html (1920 bytes)
C:\Perl\html\bin\lwp-download.html (1750 bytes)
C:\Perl\html\bin\cpan2dist.html (2521 bytes)
C:\Perl\html\activeperl.html (3467 bytes)
C:\Perl\html\bin\prove.html (2416 bytes)
C:\Perl\html\bin\config_data.html (2860 bytes)
C:\Perl\html\bin\h2ph.html (2413 bytes)
C:\Perl\html\bin\c2ph.html (2024 bytes)
C:\Perl\html\bin\nytprofmerge.html (3038 bytes)
C:\Perl\html\bin\ptargrep.html (2552 bytes)
C:\Perl\html\bin\splain.html (3525 bytes)
C:\Perl\html\bin\nytprofcg.html (2278 bytes)
C:\Perl\html\bin\pod2usage.html (3804 bytes)
C:\Perl\html\bin\pod2html.html (2810 bytes)
C:\Perl\html\bin\dbilogstrip.html (1626 bytes)
C:\Perl\html\bin\corelist.html (2274 bytes)
C:\Perl\html\bin\nytprofcsv.html (2565 bytes)
C:\Perl\html\bin\ap-iis-config.html (1569 bytes)
C:\Perl\html\bin\pod2text.html (3214 bytes)
C:\Perl\html\bin\find2perl.html (2935 bytes)
C:\Perl\eg\PerlEx\blank.htm (2164 bytes)
C:\Perl\eg\IEExamples\index.htm (3478 bytes)
C:\Perl\html\bin\zipdetails.html (2687 bytes)
C:\Perl\html\bin\cpan.html (2105 bytes)
C:\Perl\eg\aspSamples\index.htm (3604 bytes)
C:\Perl\eg\IEExamples\plmouse.htm (2384 bytes)
C:\Perl\html\bin\cpanp.html (2339 bytes)
C:\Perl\eg\IEExamples\plhello.htm (2907 bytes)
C:\Perl\html\bin\perlcritic-gui.html (2569 bytes)
C:\Perl\html\bin\pstruct.html (1910 bytes)
C:\Perl\html\bin\mech-dump.html (3330 bytes)
C:\Perl\eg\IEExamples\plwelcome.htm (2432 bytes)
C:\Perl\html\bin\json_pp.html (1889 bytes)
C:\Perl\html\bin\perlglob.html (3391 bytes)
C:\Perl\html\bin\perlbug.html (4095 bytes)
C:\Perl\html\bin\podchecker.html (3363 bytes)
C:\Perl\html\bin\shasum.html (1872 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\lzma.dll (1194 bytes)
C:\Perl\html\bin\ap-update-html.html (2409 bytes)
C:\Perl\html\bin\perlivp.html (2783 bytes)
C:\Perl\html\bin\piconv.html (3549 bytes)
C:\Perl\html\bin\dbiproxy.html (2599 bytes)
C:\Perl\html\bin\podselect.html (1796 bytes)
C:\Perl\html\bin\psed.html (2433 bytes)
C:\Perl\html\bin\lwp-dump.html (1820 bytes)
C:\Perl\eg\IEExamples\plcalc.htm (2285 bytes)
C:\Perl\html\bin\perlcritic.html (2765 bytes)
C:\Perl\html\bin\s2p.html (2561 bytes)
C:\Perl\html\bin\pod2man.html (2349 bytes)

The process 1decd1d72d55ea2d9359efe15e4f05c5mgr.exe:1092 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~TM2.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ckxqffnwnhdxynpy.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM1.tmp (4545 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~TM2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM1.tmp (0 bytes)

Registry activity

The process 1decd1d72d55ea2d9359efe15e4f05c5.exe:364 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D BA AF 71 3D 6D 81 1E D5 BD A2 54 0C 4B AE 70"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Xtkmkj" = "%Documents and Settings%\%current user%\Application Data\Xtkmkj.exe"

The process ckxqffnwnhdxynpy.exe:1340 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 CA 15 78 42 82 15 3B 08 0B AF 48 75 5E 99 BA"

The process iexplore.exe:656 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 EE F2 31 28 EA F7 7E 09 4C D9 C4 C1 74 41 D4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,,%Program Files%\cyljsdca\kfdvddln.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The Worm deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]

The Worm deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"

The process iexplore.exe:1716 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 49 85 D0 90 7F 52 31 D2 FE 67 8E 8D DA 4D 14"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1201" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1201" = "0"

The process 1decd1d72d55ea2d9359efe15e4f05c5mgr.exe:1092 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 F2 53 EC 1B 3F 8C EB AD 40 5F EC 21 61 6F BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ckxqffnwnhdxynpy.exe" = "Macromedia Flash Player 6.0 r21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Network activity (URLs)

URL IP Country
hxxp://api.wipmania.com/ (ET POLICY External IP Lookup Attempt To Wipmania ) 69.197.137.58
iluminati9999900.com 91.233.244.106


Rootkit activity

The Worm installs the following kernel-mode hooks:

ZwCreateKey
ZwOpenKey

The Worm installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Worm installs the following user-mode hooks in ADVAPI32.dll:

RegCreateKeyExA
RegCreateKeyExW

The Worm installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

The Worm intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

MJ_INTERNAL_DEVICE_CONTROL

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    1decd1d72d55ea2d9359efe15e4f05c5.exe:364
    1decd1d72d55ea2d9359efe15e4f05c5.exe:184
    ckxqffnwnhdxynpy.exe:1340
    1decd1d72d55ea2d9359efe15e4f05c5mgr.exe:1092

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\Xtkmkj.exe (1425 bytes)
    C:\1decd1d72d55ea2d9359efe15e4f05c5mgr.exe (81 bytes)
    C:\DOCUMENTS AND SETTINGS (4 bytes)
    %Program Files%\Wireshark\plugins\0.99.6a (4 bytes)
    %Program Files%\Java\jre6\lib\deploy (4 bytes)
    %Program Files%\Wireshark\dtds (4 bytes)
    %Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    C:\Perl (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~TM5.tmp (7385 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
    %Documents and Settings%\All Users (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~TM4.tmp (4545 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    C:\$Directory (1364 bytes)
    %Program Files%\Java\jre6\bin (400 bytes)
    %System% (11992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rqbdgaea.sys (15 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    \Device\Harddisk0\DR0 (85328 bytes)
    C:\PROGRAM FILES (8 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (18934 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
    %Program Files%\Wireshark\snmp\mibs (588 bytes)
    %Documents and Settings%\%current user%\LOCAL SETTINGS (4 bytes)
    %Program Files%\cyljsdca\kfdvddln.exe (601 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\kfdvddln.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\lgdnecqm.log (72 bytes)
    C:\Perl\html\bin\ptardiff.html (2459 bytes)
    C:\Perl\html\bin\ap-user-guide.html (2166 bytes)
    C:\Perl\html\bin\perlthanks.html (4107 bytes)
    C:\Perl\html\bin\lwp-request.html (2859 bytes)
    C:\Perl\html\bin\pwhich.html (3647 bytes)
    C:\Perl\html\blank.html (2214 bytes)
    C:\Perl\html\bin\dbiprof.html (2458 bytes)
    C:\Perl\eg\PerlEx\bm.htm (3228 bytes)
    C:\Perl\html\bin\nytprofhtml.html (2885 bytes)
    C:\Perl\html\bin\instmodsh.html (2762 bytes)
    C:\Perl\eg\PerlEx\benchmarks.htm (4251 bytes)
    C:\Perl\html\changes.html (3039 bytes)
    C:\Perl\html\bin\tkx-ed.html (2571 bytes)
    C:\Perl\html\bin\lwp-mirror.html (1920 bytes)
    C:\Perl\html\bin\enc2xs.html (4429 bytes)
    C:\Perl\html\bin\ppm.html (2274 bytes)
    C:\Perl\html\bin\exetype.html (2212 bytes)
    C:\Perl\html\bin\pod2latex.html (2044 bytes)
    C:\Perl\eg\PerlEx\benchtop.htm (2556 bytes)
    C:\Perl\html\bin\ptar.html (2423 bytes)
    C:\Perl\html\bin\reloc_perl.html (2464 bytes)
    C:\Perl\bin\PerlMsg.dll (2744 bytes)
    C:\Perl\eg\PerlEx\benchmain.htm (1434 bytes)
    C:\Perl\html\bin\libnetcfg.html (2312 bytes)
    C:\Perl\html\bin\pl2pm.html (2310 bytes)
    C:\Perl\html\bin\pl2bat.html (1937 bytes)
    C:\Perl\html\bin\runperl.html (1812 bytes)
    C:\Perl\html\bin\xsubpp.html (1548 bytes)
    C:\Perl\html\bin\h2xs.html (1920 bytes)
    C:\Perl\html\bin\lwp-download.html (1750 bytes)
    C:\Perl\html\bin\cpan2dist.html (2521 bytes)
    C:\Perl\html\activeperl.html (3467 bytes)
    C:\Perl\html\bin\prove.html (2416 bytes)
    C:\Perl\html\bin\config_data.html (2860 bytes)
    C:\Perl\html\bin\h2ph.html (2413 bytes)
    C:\Perl\html\bin\c2ph.html (2024 bytes)
    C:\Perl\html\bin\nytprofmerge.html (3038 bytes)
    C:\Perl\html\bin\ptargrep.html (2552 bytes)
    C:\Perl\html\bin\splain.html (3525 bytes)
    C:\Perl\html\bin\nytprofcg.html (2278 bytes)
    C:\Perl\html\bin\pod2usage.html (3804 bytes)
    C:\Perl\html\bin\pod2html.html (2810 bytes)
    C:\Perl\html\bin\dbilogstrip.html (1626 bytes)
    C:\Perl\html\bin\corelist.html (2274 bytes)
    C:\Perl\html\bin\nytprofcsv.html (2565 bytes)
    C:\Perl\html\bin\ap-iis-config.html (1569 bytes)
    C:\Perl\html\bin\pod2text.html (3214 bytes)
    C:\Perl\html\bin\find2perl.html (2935 bytes)
    C:\Perl\eg\PerlEx\blank.htm (2164 bytes)
    C:\Perl\eg\IEExamples\index.htm (3478 bytes)
    C:\Perl\html\bin\zipdetails.html (2687 bytes)
    C:\Perl\html\bin\cpan.html (2105 bytes)
    C:\Perl\eg\aspSamples\index.htm (3604 bytes)
    C:\Perl\eg\IEExamples\plmouse.htm (2384 bytes)
    C:\Perl\html\bin\cpanp.html (2339 bytes)
    C:\Perl\eg\IEExamples\plhello.htm (2907 bytes)
    C:\Perl\html\bin\perlcritic-gui.html (2569 bytes)
    C:\Perl\html\bin\pstruct.html (1910 bytes)
    C:\Perl\html\bin\mech-dump.html (3330 bytes)
    C:\Perl\eg\IEExamples\plwelcome.htm (2432 bytes)
    C:\Perl\html\bin\json_pp.html (1889 bytes)
    C:\Perl\html\bin\perlglob.html (3391 bytes)
    C:\Perl\html\bin\perlbug.html (4095 bytes)
    C:\Perl\html\bin\podchecker.html (3363 bytes)
    C:\Perl\html\bin\shasum.html (1872 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\lzma.dll (1194 bytes)
    C:\Perl\html\bin\ap-update-html.html (2409 bytes)
    C:\Perl\html\bin\perlivp.html (2783 bytes)
    C:\Perl\html\bin\piconv.html (3549 bytes)
    C:\Perl\html\bin\dbiproxy.html (2599 bytes)
    C:\Perl\html\bin\podselect.html (1796 bytes)
    C:\Perl\html\bin\psed.html (2433 bytes)
    C:\Perl\html\bin\lwp-dump.html (1820 bytes)
    C:\Perl\eg\IEExamples\plcalc.htm (2285 bytes)
    C:\Perl\html\bin\perlcritic.html (2765 bytes)
    C:\Perl\html\bin\s2p.html (2561 bytes)
    C:\Perl\html\bin\pod2man.html (2349 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~TM2.tmp (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ckxqffnwnhdxynpy.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~TM1.tmp (4545 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Xtkmkj" = "%Documents and Settings%\%current user%\Application Data\Xtkmkj.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now