Worm.Win32.Shakblades_044de297a0

by malwarelabrobot on October 29th, 2013 in Malware Descriptions.

Trojan.GenericKDV.1311723 (BitDefender), Trojan:Win32/Dynamer!dtc (Microsoft), Worm.Win32.Shakblades.qib (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.GenericKDV.1311723 (B) (Emsisoft), Artemis!044DE297A0C0 (McAfee), Trojan.Gen (Symantec), Worm.Win32.Shakblades (Ikarus), Trojan.GenericKDV.1311723 (FSecure), Inject.BYWV (AVG)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 044de297a0c023d939300d84e95074ee
SHA1: f8b9310d7d3df883b1a42dbb7028206be2e86dc4
SHA256: fa249945664b5447ca33862f6bb1dca03dcf1370fc49e15cc852eae5bfb6adba
SSDeep:
Size: 247710 bytes
File type: broken
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftWindowsShortcutfile
Company: no certificate found
Created at: 2013-09-30 16:34:07


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

044de297a0c023d939300d84e95074ee.exe:816

File activity

The process 044de297a0c023d939300d84e95074ee.exe:816 makes changes in a file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0 (24576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak (58342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML (25574 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.done (0 bytes)

Registry activity

The process 044de297a0c023d939300d84e95074ee.exe:816 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyPort" = "1755"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyExclude" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"DTDFile" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"

[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"LocalDelta" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyName" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyExclude" = ""

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyPort" = "80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyName" = ""

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyBypass" = "0"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyBypass" = "0"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyName" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyExclude" = ""

[HKCU\Software\Microsoft\Windows Media\WMSDK\General]
"UniqueID" = "{53279927-02F5-4CF5-B0F6-5D3237CAD393}"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyStyle" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 22 D3 B1 5A 0C E0 76 ED FA 91 A8 81 22 49 B3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows Media\WMSDK\General]
"ComputerName" = "%ComputerName%"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP]
"ProxyBypass" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS]
"ProxyStyle" = "0"

[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"RemoteDelta" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyPort" = "554"

[HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP]
"ProxyStyle" = "0"

[HKCU\Software\Microsoft\Windows Media\WMSDK\General]
"VolumeSerialNumber" = "1886890347"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows Media\WMSDK\Namespace]
"LocalBase" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"

[HKCU\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying]
"InitFlags" = "1"

The Worm deletes the following registry key(s):

[HKCU\Software\Microsoft\MediaPlayer\Health\{C5716CCD-C130-413E-B6BF-D22675CA3CD4}]

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\MediaPlayer\Player\Settings]
"Client ID"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    044de297a0c023d939300d84e95074ee.exe:816

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0 (24576 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML.bak (58342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML (53 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.