Worm.Win32.Ainslot.VB_7945484ec9

by malwarelabrobot on July 29th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Win32.Ainslot.VB.FD, WormAinslot_VariantOfZeus.YR, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 7945484ec9182f9a7c7719a8559efcea
SHA1: b76b7b2e30b805812a8cf4c7196dac7d0bc11ea3
SHA256: efa9f8a5c8375c0e871a1bf3a366518c85b57beac7141e2c8f086f7daf4f3343
SSDeep: 12288:DSIm7Wctuli/l4ivmDUEppddEMOESqp8WD8miY8xIWF:2ImNx/lBEp59OESiB8miY4z
Size: 539164 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC; UPolyXv05_v6; NETexecutable
Company: no certificate found
Created at: 2013-07-25 20:26:33


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

AppLaunch.exe:2712
AppLaunch.exe:604
AppLaunch.exe:768
AppLaunch.exe:2848
AppLaunch.exe:572
AppLaunch.exe:1328
AppLaunch.exe:1308
AppLaunch.exe:608
AppLaunch.exe:456
AppLaunch.exe:1088
AppLaunch.exe:132
AppLaunch.exe:2192
AppLaunch.exe:1480
AppLaunch.exe:1872
AppLaunch.exe:692
AppLaunch.exe:1076
AppLaunch.exe:1580
AppLaunch.exe:1732
AppLaunch.exe:348
AppLaunch.exe:2360
AppLaunch.exe:2288
AppLaunch.exe:2768
AppLaunch.exe:2120
AppLaunch.exe:300
AppLaunch.exe:1336
AppLaunch.exe:2424
AppLaunch.exe:1796
AppLaunch.exe:1860
AppLaunch.exe:1956
AppLaunch.exe:1700
AppLaunch.exe:1608
AppLaunch.exe:1620
AppLaunch.exe:1624
AppLaunch.exe:1840
AppLaunch.exe:2808
AppLaunch.exe:536
AppLaunch.exe:2672
AppLaunch.exe:1244
AppLaunch.exe:1572
AppLaunch.exe:2484
7945484ec9182f9a7c7719a8559efcea.exe:1684
wbemcore.exe:600
reg.exe:1500
reg.exe:1520
reg.exe:1768

The Worm injects its code into the following process(es):

SyncHost.exe:868
AppLaunch.exe:1652
wbemcore.exe:504
reg.exe:504

File activity

The process SyncHost.exe:868 makes changes in a file system.
The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\SyncHost.exe (0 bytes)

The process AppLaunch.exe:1652 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\sbbc.exe (59 bytes)
%Documents and Settings%\%current user%\Application Data\user (33 bytes)

The process 7945484ec9182f9a7c7719a8559efcea.exe:1684 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe (10 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\SyncHost.exe (3361 bytes)

Registry activity

The process SyncHost.exe:868 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 61 44 C7 CD 89 CA 0F 43 E2 42 3F 83 3D D6 ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process AppLaunch.exe:2712 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 77 A3 42 5A 04 56 C6 BC 00 F1 BD FC B9 95 C3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:604 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 1D E4 23 5B 50 81 4C DB 16 A2 C0 74 1B F9 D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:768 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 98 64 77 AF 69 6A 15 95 F6 ED 8E 79 9D 0A AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2848 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 FA 94 D3 60 C3 68 BD E3 B2 E6 D9 D1 56 B9 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:572 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 01 88 41 02 11 92 E9 BE EC CA AE 35 67 DA 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1328 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 51 43 F4 A0 B0 D6 BD C5 DE 7E 8E 17 E1 C5 63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1308 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 5D C4 11 77 10 D2 AE 36 58 E8 13 9E E6 6E 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:608 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 76 58 6B 54 2C 2D D3 FA 4A E0 9D 57 B2 29 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:456 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3C D3 83 DF 4E 72 C0 B1 35 CD F6 AD 4A FA 38"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1088 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 57 A2 BD C1 3F 4F ED D8 7C 20 B0 B4 C7 5F A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:132 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 04 7F D5 FA 47 65 7A 7F 40 17 B9 40 6E C9 A9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2192 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 E5 BD 1A C8 BC A2 BA 31 10 70 F0 FB BA 9B 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1480 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 BC 54 A3 87 32 67 24 3B 56 E4 F9 7D 4F 08 FD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1872 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 56 E2 11 CF 05 9A B2 64 6A 43 B0 7B 5B B6 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:692 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A FC D6 19 0B 2A 9F 8A EE 27 CE 4E 6F 00 1B FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1076 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 80 89 24 06 8B E7 CD 93 F5 88 1C 28 FF A3 C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1580 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 5D 45 D6 B2 70 86 13 31 EA C5 63 07 34 2B 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1732 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 26 5B 81 88 BC A8 D2 7B 2F 55 94 C9 F1 23 11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1652 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 4D BC 5B 61 A3 45 8F 9E 5C EB EC 5E EC 94 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"GDZC41JC7M" = "User"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"GDZC41JC7M" = "July 28, 2013"

The process AppLaunch.exe:348 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 0E D3 03 3B BF AB CA FC 40 F8 BB A4 18 14 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2360 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F5 EE 9E AB E5 47 4A C9 8E 96 37 CC 1B EF 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2288 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 2F 9C 67 7D 20 5C D4 36 FE D2 B7 7E 50 6E 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2768 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 B4 E8 07 E3 E1 D5 4B E5 A9 BB 7D E4 75 DE 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2120 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A DB 12 30 0E 91 20 96 BE 5E 1E D0 C8 02 B2 63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:300 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 E9 01 E5 DF 86 58 BD 0B 52 A1 7D 35 14 B1 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1336 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 41 C9 F1 78 D6 45 F0 A8 1C 0C E9 B4 45 A7 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2424 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 5D FE 5E 5D AC 85 E9 4B E8 7F 29 4E 18 3D 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1796 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F C2 F8 B3 7A 1F 44 E6 95 B1 86 04 18 18 FE BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1860 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 08 C2 62 CA 40 0D 1E 11 88 58 64 7D DD FE 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1956 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 7F B7 25 41 21 37 EB 32 3B CB 35 6B 10 C4 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1700 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 5B E6 0B 82 32 93 D8 AC 0B CE D2 64 C2 E2 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1608 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 39 1A 27 81 CE 40 CA 59 78 59 EF 95 A5 84 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1620 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 A9 BE 1E AC A3 5F 24 D1 AD CC CB 18 C9 EB 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1624 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 46 2D 30 E5 18 75 03 E9 13 E8 06 32 4B 1D 5C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1840 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 D5 70 9E 73 D2 C8 76 DB 3F 11 56 28 DE 27 5C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2808 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 7F 67 1C 22 CB E8 2D 8A 32 37 B3 A8 B7 86 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:536 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 5B 05 7B C5 27 88 E0 A5 40 F9 E5 80 0B C5 B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2672 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 3B B7 AF 93 31 6E 28 9D 61 9C 48 0E 48 67 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1244 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 07 B1 05 C1 E9 28 E9 41 34 99 FB 4E FF 2E 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:1572 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 64 1D 98 7D C3 AE F5 1C 9F BE 64 B3 E0 CD 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process AppLaunch.exe:2484 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 4C 54 90 DD 77 AB 92 37 8A 61 6D 82 FF C0 25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process 7945484ec9182f9a7c7719a8559efcea.exe:1684 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E D3 EB C9 3F D6 C5 9C B4 06 15 6E 54 E1 B3 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft\Windows]
"wbemcore.exe" = "Windows Management Instrumentation"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process wbemcore.exe:504 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 1F 45 F2 B5 86 01 97 17 2C A2 C5 F4 E9 1B 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows Management Instrumentation" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe"

The process wbemcore.exe:600 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 84 4E AD 4B 2A 94 47 23 E6 59 14 5C 9C 11 36"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows Management Instrumentation" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe"

The process reg.exe:1500 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 6A C4 8E E5 FF FC 0A E9 6D 04 BB 2D 60 1A 95"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"AppLaunch.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger"

The process reg.exe:504 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 D5 F6 1D 49 58 F2 F1 65 00 D5 95 ED 99 60 BD"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"sbbc.exe" = "%Documents and Settings%\%current user%\Application Data\sbbc.exe:*:Enabled:Windows Messanger"

The process reg.exe:1520 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 B0 89 36 12 E8 FF 9A 1A 94 21 57 E3 F4 B8 E2"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

The process reg.exe:1768 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 90 E5 1E BD 39 E8 BC 91 69 91 75 A2 D5 D6 50"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    AppLaunch.exe:2712
    AppLaunch.exe:604
    AppLaunch.exe:768
    AppLaunch.exe:2848
    AppLaunch.exe:572
    AppLaunch.exe:1328
    AppLaunch.exe:1308
    AppLaunch.exe:608
    AppLaunch.exe:456
    AppLaunch.exe:1088
    AppLaunch.exe:132
    AppLaunch.exe:2192
    AppLaunch.exe:1480
    AppLaunch.exe:1872
    AppLaunch.exe:692
    AppLaunch.exe:1076
    AppLaunch.exe:1580
    AppLaunch.exe:1732
    AppLaunch.exe:348
    AppLaunch.exe:2360
    AppLaunch.exe:2288
    AppLaunch.exe:2768
    AppLaunch.exe:2120
    AppLaunch.exe:300
    AppLaunch.exe:1336
    AppLaunch.exe:2424
    AppLaunch.exe:1796
    AppLaunch.exe:1860
    AppLaunch.exe:1956
    AppLaunch.exe:1700
    AppLaunch.exe:1608
    AppLaunch.exe:1620
    AppLaunch.exe:1624
    AppLaunch.exe:1840
    AppLaunch.exe:2808
    AppLaunch.exe:536
    AppLaunch.exe:2672
    AppLaunch.exe:1244
    AppLaunch.exe:1572
    AppLaunch.exe:2484
    7945484ec9182f9a7c7719a8559efcea.exe:1684
    wbemcore.exe:600
    reg.exe:1500
    reg.exe:1520
    reg.exe:1768

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\sbbc.exe (59 bytes)
    %Documents and Settings%\%current user%\Application Data\user (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe (10 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\SyncHost.exe (3361 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Windows Management Instrumentation" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\wbemcore.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.