Win32/Delf.NRC [Threat Name] go to Threat
Win32/Delf.NRC [Threat Variant Name]
| Category | trojan,worm |
| Size | 86697 B |
| Aliases | Worm.Win32.AutoRun.hre (Kaspersky) |
| Trojan.KillAV (Symantec) | |
| Trojan:Win32/Startpage.RH (Microsoft) |
Short description
Win32/Delf.NRC is a worm that spreads by copying itself into certain folders.
Installation
When executed, the worm creates the following folders:
- C:\EEQQ\
- %system%\fwnbsnqiuj\
- %system%\icnbxbadhx\
The worm creates the following files:
- C:\EEQQ\EEQ.exe
- C:\EEQQ\QQE.exe
- %system%\icnbxbadhx\explorer.exe
- %system%\fwnbsnqiuj\smss.exe
- %programfilescommon%\ocsoss.dll
- %favorites%\%filename%.url
- %commondesktopdirectory%\Intennet Exploner.lnk
- %commondesktopdirectory%\%filename%·.url
- %commondesktopdirectory%\%filename%.url
- %commondesktopdirectory%\%filename%.url
- %commonstartup%\%variable%.lnk
%filename% represents a string written in the CN language.
Libraries with the following names are injected into all running processes:
- %programfilescommon%\ocsoss.dll
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
- "icnbxbadhx" = "%system%\icnbxbadhx\smss.exe"
- "fwnbsnqiuj" = "%system%\fwnbsnqiuj\explorer.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravcopy.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanU3.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvU3Launcher.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCMgr.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SelfUpdate.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCRTP.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atpup.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSMain.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DSMain.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwstray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiU.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp2.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp3.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsdave.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSUpd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sdrun.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngPS.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XDelBox.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knsdtray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appdllman.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AoYun.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Discovery.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernelwind32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logogo.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\799d.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stormii.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jisu.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filmst.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qheart.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qsetup.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sxgame.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbapp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfserver.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCSmashFile.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_CLASSES_ROOT\exefile]
- "NeverShowExt" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
- "ModRiskFileTypes" = ".exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StorageDevicePolicies]
- "WriteProtect" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
- "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
- "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}]
- "InfoTip" = "@shdoclc.dll,-881"
- "LocalizedString" = "@shdoclc.dll,-880"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage\Command]
- "(Default)" = "iexplore.exe http://www.sfc006.com/?Activex"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\-(-+(&R)\Command]
- "(default)" = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage]
- "(Default)" = "¦=+¬+?-¦(&H)"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell\OpenHomePage]
- "MUIVerb" = "@shdoclc.dll,-10241"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\Shellex\ContextMenuHandlers\ieframe]
- "(Default)" = "{871C5380-42A0-1069-A2EA-08002B30309D}"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\ShellFolder]
- "Attributes" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\shell]
- "OpenHomePage" = ""
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32]
- "(Default)" = "%SystemRoot%\system32\shdocvw.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\DefaultIcon]
- "(Default)" = "shdoclc.dll,-190"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InfoTip]
- "(Default)" = "@shdoclc.dll,-881"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}\LocalizedString]
- "(Default)" = "@shdoclc.dll,-880"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}\InProcServer32]
The following Registry entries are removed:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SD360]
- [HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\SD360]
- [HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SD360]
- [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Safe360Ext]
- [HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\Safe360Ext]
- [HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\Safe360Ext]
- [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RisingRavExt]
- [HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\RisingRavExt]
- [HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\RisingRavExt]
Spreading
The worm copies itself into the root folders of local and remote drives. It also copies itself into the root folders of removable drives.
The following filename is used:
- %drive%\My Documamts.exe
The worm also searches for folders on local drives.
When the worm finds a folder matching the search criteria, it creates a new copy of itself.
It avoids those with any of the following strings in their names:
- Windows
- Program files
- Documents and Settigns
- System Volume Information
The name of the new file is based on the name of the folder found in the search.
The extension of the file is ".exe" .
Other information
The worm may delete the following files:
- %startup%\*.vbe
- %startup%\*.jse
- %startup%\*.bat
- %startup%\*.url
- %startup%\*.exe
- %startup%\*.scr
- %startup%\*.com
- %startup%\*.pif
- %startup%\*.htm
- %startup%\*.html
- %startup%\*.lnk
- %commonstartup%\*.vbe
- %commonstartup%\*.jse
- %commonstartup%\*.bat
- %commonstartup%\*.url
- %commonstartup%\*.exe
- %commonstartup%\*.scr
- %commonstartup%\*.com
- %commonstartup%\*.pif
- %commonstartup%\*.htm
- %commonstartup%\*.html
- %commonstartup%\*.lnk
- %system%\drivers\etc\hosts
- C:\RECYCLER\winlogon.exe
- %system%\RavExt.dll
- %system%\bsmain.exe
- %commondesktopdirectory%\360*.lnk
- %desktopdirectory%\360*.lnk
- %desktopdirectory%\QQS*.lnk
- %startmenu%\QQS*.lnk
- %commonstartmenu%\360*.lnk
- %desktopdirectory%\*.url
- %commondesktopdirectory%\*.lnk
- %commondesktopdirectory%\360*.lnk
The worm may create the following files:
- C:\%variable%.txt
- C:\%variable%.jpg
- C:\%variable%.bmp
- C:\%variable%.gif
- C:\%variable%.doc
A string with variable content is used instead of %variable% .
The following programs are terminated:
- netsh.exe
- conime.exe
- regedit.exe
- wscript.exe
- regsvr32.exe
- rundll32.exe
- wmiprvse.exe
- ipconfig.exe
The worm may install the following system drivers (path, name):
- %system%\drivers\kpscc.sys
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DMusic]
- ImagePath="%system%\drivers\kpscc.sys"
The worm may execute the following commands:
- explorer.exe http://www.sfc008.com/?TJ-%variable%
- explorer.exe http://www.sfc008.com/index.html?TJ-%variable%
The worm affects the behavior of the following applications:
- Tencent QQ
- Xunlei Thunder
The worm might attempt to hide its presence in the system.
The worm hooks the following Windows APIs:
- NtQuerySystemInformation (ntdll.dll)