Worm.Win32.Ainslot.VB_77ed49f8fe

by malwarelabrobot on October 13th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-Dropper.MSIL!IK (Emsisoft), Backdoor.Win32.PcClient.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 77ed49f8feef4fbbe79a12fc518ace94
SHA1: bb41287f8b07be34d6d69c827fcc9629cc48044c
SHA256: 8edb71fae6086897e172c045602e54a6dcf3956875c4ed0e21ae0953ab73beac
SSDeep: 12288:bLtrkqsgmWguPVtJf6GAyZMOBAHJI VBJKc8J12vEw:lkzGtAGASBiAJU
Size: 1756160 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-06 02:09:11


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

ctfmon.exe:252
WScript.exe:1636
77ed49f8feef4fbbe79a12fc518ace94.exe:2732
rundll32.exe:260
reg.exe:2300
reg.exe:3944
reg.exe:3956
reg.exe:3924
dumprep.exe:3984
dumprep.exe:1480

The Worm injects its code into the following process(es):

MicrosoftPointGenerator.exe:3904

File activity

The process 77ed49f8feef4fbbe79a12fc518ace94.exe:2732 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (35 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (11518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\j.vbs (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MicrosoftPointGenerator.exe (6417 bytes)

The process dumprep.exe:3984 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERb0c9.dir00\svchost.exe.mdmp (100842 bytes)

The process dumprep.exe:1480 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WERb0c9.dir00\svchost.exe.hdmp (202477 bytes)

Registry activity

The process MicrosoftPointGenerator.exe:3904 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 B6 2A 96 A3 71 49 10 DA 50 E4 87 22 F2 37 93"

The process ctfmon.exe:252 makes changes in a system registry.
The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process WScript.exe:1636 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D D8 5D 2C D3 15 CB 82 AF F5 61 54 0D 6E 2D BE"

The process 77ed49f8feef4fbbe79a12fc518ace94.exe:2732 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 E8 04 E6 B1 3D 9C E8 64 1C 64 59 D2 15 21 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\System32]
"WScript.exe" = "Microsoft (R) Windows Based Script Host"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"MicrosoftPointGenerator.exe" = "WindowsApplication1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process rundll32.exe:260 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 F4 B6 DF C6 8F 97 A9 94 E9 56 0D CB 3D E9 87"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "EnableNXShowUI"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "Microsoft® Resource File To COFF Object Conversion Utility"

The process reg.exe:2300 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 BD 55 F0 D2 43 8C AD D5 BF BB 9F 3B 08 16 C8"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:3944 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 DE 5F 02 07 0B 88 AB 0B 6E 98 E7 96 50 1F 20"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"unfud.exe" = "%Documents and Settings%\%current user%\Application Data\unfud.exe:*:Enabled:Windows Messanger"

The process reg.exe:3956 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A CB 2C 46 32 C4 F9 72 F0 4E 70 E2 57 95 17 23"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe:*:Enabled:Windows Messanger"

The process reg.exe:3924 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 5A 51 A3 9B 65 D0 4C A9 51 60 A8 11 B2 E0 F8"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process dumprep.exe:3984 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D B4 B0 C8 71 5D 89 78 14 F8 D2 B7 FE 2B 4B 05"

The process dumprep.exe:1480 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 8F C3 DC B7 B7 83 AF 4C 51 1C 83 38 ED 64 60"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WScript.exe:1636
    77ed49f8feef4fbbe79a12fc518ace94.exe:2732
    rundll32.exe:260
    reg.exe:2300
    reg.exe:3944
    reg.exe:3956
    reg.exe:3924
    dumprep.exe:3984
    dumprep.exe:1480

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (35 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (11518 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\j.vbs (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MicrosoftPointGenerator.exe (6417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERb0c9.dir00\svchost.exe.mdmp (100842 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WERb0c9.dir00\svchost.exe.hdmp (202477 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.