Virus.Win32.SALITY.RV.orig

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It does not have any backdoor routine.

It does not have any information-stealing capability.

It connects to certain websites to send and receive information.

Arrival Details

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Virus drops the following files:

• %Windows%\{Random Characters}
• %User Temp%\{Random Characters} → if %Windows%\{Random Characters} is not created
• %User Temp%\{Random Characters 1}.exe or %User Temp%\win{Random Characters 1}.exe → detected as TROJ_SALSTUB.A
• %User Temp%\{6 Random Characters}.exe → copy of ntkrnlpa.exe, deleted afterwards
• %System%\drivers\{6 Random characters}.sys → detected as RTKT_SALITY.RL, deleted afterwards
• {Available Drive Except for CD-ROM Drives}:\autorun.inf → file attribute set to HIDDEN and SYSTEM

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

• %User Temp%\{Random Characters 2}.exe or %User Temp%\win{Random Characters 2}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It injects itself into the following processes running in the affected system's memory:

• All running processes except for those created by the following account names:
  • SYSTEM
  • LOCAL SERVICE
  • NETWORK SERVICE

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• uxJLpe1m
• {Process Name}M_{Process ID} → For all current running processes in the system

Other System Modifications

This Virus deletes the following files:

• Files with .exe extension in %User Temp%.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It deletes the following folders:

• Folders with _Rar as folder name in %User Temp%.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following line(s)/entry(ies) in the SYSTEM.INI file:

• [mci]
  [MCIDRV_VER]
  DEVICEMB={Random Decimal Numbers}

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplication\
List
{Malware File Path}\{Malware File Name} = {Malware File Path}\{Malware File Name}:*:Enabled:ipsec

HKEY_CURRENT_USER\Software\{Generated Characters from First 4 Letters of Computer Name}
{Random Character}{Incrementing Number from 1 to 4}_{Incrementing Number from 0} = {Random Characters}

HKEY_CURRENT_USER\Software\{Generated Characters from First 4 Letters of Computer Name}\
{Random Numbers}
{Random Characters} = {Random Characters}

HKEY_CURRENT_USER\Software\{Generated Characters from First 4 Letters of Computer Name}\
{Random Numbers}
{Random Characters} = {Hex Value}

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
UacDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = 0

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = 1

(Note: The default value data of the said registry entry is 0.)

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\{Generated Characters from First 4 Letters of Computer Name}

HKEY_CURRENT_USER\Software\{Generated Characters from First 4 Letters of Computer Name}\
{Random Numbers}

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SafeBoot\{All Enumerated Subkeys}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\{All Enumerated Subkeys}

File Infection

This Virus infects the following file types:

• .EXE
• .SCR

It avoids infecting folders containing the following strings:

• C:\Windows
• SYSTEM

It avoids infecting files that contain the following strings in their names:

• AVPM
• A2GUARD
• A2CMD
• A2SERVICE
• A2FREE
• AVAST
• ADVCHK
• AGB
• AKRNL
• AHPROCMONSERVER
• AIRDEFENSE
• ALERTSVC
• AVIRA
• AMON
• TROJAN
• AVZ
• ANTIVIR
• APVXDWIN
• ARMOR2NET
• ASHAVAST
• ASHDISP
• ASHENHCD
• ASHMAISV
• ASHPOPWZ
• ASHSERV
• ASHSIMPL
• ASHSKPCK
• ASHWEBSV
• ASWUPDSV
• ASWSCAN
• AVCIMAN
• AVCONSOL
• AVENGINE
• AVESVC
• AVEVAL
• AVEVL32
• AVGAM
• AVGCC.AVGCHSVX
• AVGCSRVX
• AVGNSX
• AVGCC32
• AVGCTRL
• AVGEMC
• AVGFWSRV
• AVGNT
• AVCENTER
• AVGNTMGR
• AVGSERV
• AVGTRAY
• AVGUARD
• AVGUPSVC
• AVGWDSVC
• AVINITNT
• AVKSERV
• AVKSERVICE
• AVKWCTL
• AVP
• AVP32
• AVPCC
• AVAST
• AVSERVER
• AVSCHED32
• AVSYNMGR
• AVWUPD32
• AVWUPSRV
• AVXMONITOR
• AVXQUAR
• BDSWITCH
• BLACKD
• BLACKICE
• CAFIX
• BITDEFENDER
• CCEVTMGR
• CFP
• CFPCONFIG
• CCSETMGR
• CFIAUDIT
• CLAMTRAY
• CLAMWIN
• CUREIT
• DEFWATCH
• DRVIRUS
• DRWADINS
• DRWEB
• DEFENDERDAEMON
• DWEBLLIO
• DWEBIO
• ESCANH95
• ESCANHNT
• EWIDOCTRL
• EZANTIVIRUSREGISTRATIONCHECK
• F-AGNT95
• FAMEH32
• FILEMON
• FIREWALL
• FORTICLIENT
• FORTITRAY
• FORTISCAN
• FPAVSERVER
• FPROTTRAY
• FPWIN
• FRESHCLAM
• EKRN
• FSAV32
• FSAVGUI
• FSBWSYS
• F-SCHED
• FSDFWD
• FSGK32
• FSGK32ST
• FSGUIEXE
• FSMA32
• FSMB32
• FSPEX
• FSSM32
• F-STOPW
• GCASDTSERV
• GCASSERV
• GIANTANTISPYWARE
• GUARDGUI
• GUARDNT
• GUARDXSERVICE
• GUARDXKICKOFF
• HREGMON
• HRRES
• HSOCKPE
• HUPDATE
• IAMAPP
• IAMSERV
• ICLOAD95
• ICLOADNT
• ICMON
• ICSSUPPNT
• ICSUPP95
• ICSUPPNT
• IPTRAY
• INETUPD
• INOCIT
• INORPC
• INORT
• INOTASK
• INOUPTNG
• IOMON98
• ISAFE
• ISATRAY
• KAV
• KAVMM
• KAVPF
• KAVPFW
• KAVSTART
• KAVSVC
• KAVSVCUI
• KMAILMON
• MAMUTU
• MCAGENT
• MCMNHDLR
• MCREGWIZ
• MCUPDATE
• MCVSSHLD
• MINILOG
• MYAGTSVC
• MYAGTTRY
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVW32
• NEOWATCHLOG
• NEOWATCHTRAY
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORMIST
• NOTSTART
• NPAVTRAY
• NPFMNTOR
• NPFMSG
• NPROTECT
• NSCHED32
• NSMDTR
• NSSSERV
• NSSTRAY
• NTRTSCAN
• NTOS
• NTXCONFIG
• NUPGRADE
• NVCOD
• NVCTE
• NVCUT
• NWSERVICE
• OFCPFWSVC
• OUTPOST
• ONLINENT
• OPSSVC
• OP_MON
• PAVFIRES
• PAVFNSVR
• PAVKRE
• PAVPROT
• PAVPROXY
• PAVPRSRV
• PAVSRV51
• PAVSS
• PCCGUIDE
• PCCIOMON
• PCCNTMON
• PCCPFW
• PCCTLCOM
• PCTAV
• PERSFW
• PERTSK
• PERVAC
• PESTPATROL
• PNMSRV
• PREVSRV
• PREVX
• PSIMSVC
• QUHLPSVC
• QHONLINE
• QHONSVC
• QHWSCSVC
• QHSET
• RFWMAIN
• RTVSCAN
• RTVSCN95
• SALITY
• SAPISSVC
• SCANWSCS
• SAVADMINSERVICE
• SAVMAIN
• SAVPROGRESS
• SAVSCAN
• SCANNINGPROCESS
• SDRA64
• SDHELP
• SHSTAT
• SITECLI
• SPBBCSVC
• SPHINX
• SPIDERCPL
• SPIDERML
• SPIDERNT
• SPIDERUI
• SPYBOTSD
• SPYXX
• SS3EDIT
• STOPSIGNAV
• SWAGENT
• SWDOCTOR
• SWNETSUP
• SYMLCSVC
• SYMPROXYSVC
• SYMSPORT
• SYMWSC
• SYNMGR
• TAUMON
• TBMON
• TMLISTEN
• TMNTSRV
• TMPROXY
• TNBUTIL
• TRJSCAN
• VBA32ECM
• VBA32IFS
• VBA32LDR
• VBA32PP3
• VBSNTW
• VCRMON
• VPTRAY
• VRFWSVC
• VRMONNT
• VRMONSVC
• VRRW32
• VSECOMR
• VSHWIN32
• VSMON
• VSSERV
• VSSTAT
• WATCHDOG
• WEBSCANX
• WINSSNOTIFY
• WRCTRL
• XCOMMSVR
• ZLCLIENT
• ZONEALARM

It avoids infecting the following files:

• Protected System Files
• Files in CD-ROM drives

Propagation

This Virus drops the following copy of itself in all physical and removable drives:

• {Available Drive Except for CD-ROM Drives}:\{Random Characters}.{pif or exe}

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;
[AutoRun]

;{Garbage Characters}
Shell\opEN\DefaulT=1
;{Garbage Characters}
OPEN =ptmisp.exe
;{Garbage Characters}
ShEll\open\cOmmaND = {Malware File Name}.{pif or exe}

;{Garbage Characters}
ShEll\explOre\cOmmaNd={Malware File Name}.{pif or exe}
;{Garbage Characters}
ShelL\AutoPlAY\CoMmaNd ={Malware File Name}.{pif or exe}
;{Garbage Characters}

Backdoor Routine

This Virus does not have any backdoor routine.

Rootkit Capabilities

This Virus does not have rootkit capabilities.

Process Termination

This Virus terminates the following services if found on the affected system:

• AVP
• Agnitum Client Security Service
• ALG
• Amon monitor
• aswUpdSv
• aswMon2
• aswRdr
• aswSP
• aswTdi
• aswFsBlk
• acssrv
• AV Engine
• avast! iAVS4 Control Service
• avast! Antivirus
• avast! Mail Scanner
• avast! Web Scanner
• avast! Asynchronous Virus Monitor
• avast! Self Protection
• AVG E-mail Scanner
• Avira AntiVir Premium Guard
• Avira AntiVir Premium WebGuard
• Avira AntiVir Premium MailGuard
• BGLiveSvc
• BlackICE
• CAISafe
• ccEvtMgr
• ccProxy
• ccSetMgr
• COMODO Firewall Pro Sandbox Driver
• cmdGuard
• cmdAgent
• Eset Service
• Eset HTTP Server
• Eset Personal Firewall
• F-Prot Antivirus Update Monitor
• fsbwsys
• FSDFWD
• F-Secure Gatekeeper Handler Starter
• FSMA
• Google Online Services
• InoRPC
• InoRT
• InoTask
• ISSVC
• KPF4
• KLIF
• LavasoftFirewall
• LIVESRV
• McAfeeFramework
• McShield
• McTaskManager
• MpsSvc
• navapsvc
• NOD32krn
• NPFMntor
• NSCService
• Outpost Firewall main module
• OutpostFirewall
• PAVFIRES
• PAVFNSVR
• PavProt
• PavPrSrv
• PAVSRV
• PcCtlCom
• PersonalFirewal
• PREVSRV
• ProtoPort Firewall service
• PSIMSVC
• RapApp
• SharedAccess
• SmcService
• SNDSrvc
• SPBBCSvc
• SpIDer FS Monitor for Windows NT
• SpIDer Guard File System Monitor
• SPIDERNT
• Symantec Core LC
• Symantec Password Validation
• Symantec AntiVirus Definition Watcher
• SavRoam
• Symantec AntiVirus
• Tmntsrv
• TmPfw
• UmxAgent
• UmxCfg
• UmxLU
• UmxPol
• vsmon
• VSSERV
• WebrootDesktopFirewallDataService
• WebrootFirewall
• wscsvc
• XCOMM

It terminates the following processes if found running in the affected system's memory:

• AVPM
• A2GUARD
• A2CMD
• A2SERVICE
• A2FREE
• AVAST
• ADVCHK
• AGB
• AKRNL
• AHPROCMONSERVER
• AIRDEFENSE
• ALERTSVC
• AVIRA
• AMON
• TROJAN
• AVZ
• ANTIVIR
• APVXDWIN
• ARMOR2NET
• ASHAVAST
• ASHDISP
• ASHENHCD
• ASHMAISV
• ASHPOPWZ
• ASHSERV
• ASHSIMPL
• ASHSKPCK
• ASHWEBSV
• ASWUPDSV
• ASWSCAN
• AVCIMAN
• AVCONSOL
• AVENGINE
• AVESVC
• AVEVAL
• AVEVL32
• AVGAM
• AVGCC
• AVGCHSVX
• AVGCSRVX
• AVGNSX
• AVGCC32
• AVGCTRL
• AVGEMC
• AVGFWSRV
• AVGNT
• AVCENTER
• AVGNTMGR
• AVGSERV
• AVGTRAY
• AVGUARD
• AVGUPSVC
• AVGWDSVC
• AVINITNT
• AVKSERV
• AVKSERVICE
• AVKWCTL
• AVP
• AVP32
• AVPCC
• AVAST
• AVSERVER
• AVSCHED32
• AVSYNMGR
• AVWUPD32
• AVWUPSRV
• AVXMONITOR
• AVXQUAR
• BDSWITCH
• BLACKD
• BLACKICE
• CAFIX
• BITDEFENDER
• CCEVTMGR
• CFP
• CFPCONFIG
• CCSETMGR
• CFIAUDIT
• CLAMTRAY
• CLAMWIN
• CUREIT
• DEFWATCH
• DRVIRUS
• DRWADINS
• DRWEB
• DEFENDERDAEMON
• DWEBLLIO
• DWEBIO
• ESCANH95
• ESCANHNT
• EWIDOCTRL
• EZANTIVIRUSREGISTRATIONCHECK
• F-AGNT95
• FAMEH32
• FILEMON
• FIREWALL
• FORTICLIENT
• FORTITRAY
• FORTISCAN
• FPAVSERVER
• FPROTTRAY
• FPWIN
• FRESHCLAM
• EKRN
• FSAV32
• FSAVGUI
• FSBWSYS
• F-SCHED
• FSDFWD
• FSGK32
• FSGK32ST
• FSGUIEXE
• FSMA32
• FSMB32
• FSPEX
• FSSM32
• F-STOPW
• GCASDTSERV
• GCASSERV
• GIANTANTISPYWARE
• GUARDGUI
• GUARDNT
• GUARDXSERVICE
• GUARDXKICKOFF
• HREGMON
• HRRES
• HSOCKPE
• HUPDATE
• IAMAPP
• IAMSERV
• ICLOAD95
• ICLOADNT
• ICMON
• ICSSUPPNT
• ICSUPP95
• ICSUPPNT
• IPTRAY
• INETUPD
• INOCIT
• INORPC
• INORT
• INOTASK
• INOUPTNG
• IOMON98
• ISAFE
• ISATRAY
• KAV
• KAVMM
• KAVPF
• KAVPFW
• KAVSTART
• KAVSVC
• KAVSVCUI
• KMAILMON
• MAMUTU
• MCAGENT
• MCMNHDLR
• MCREGWIZ
• MCUPDATE
• MCVSSHLD
• MINILOG
• MYAGTSVC
• MYAGTTRY
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVW32
• NEOWATCHLOG
• NEOWATCHTRAY
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORMIST
• NOTSTART
• NPAVTRAY
• NPFMNTOR
• NPFMSG
• NPROTECT
• NSCHED32
• NSMDTR
• NSSSERV
• NSSTRAY
• NTRTSCAN
• NTOS
• NTXCONFIG
• NUPGRADE
• NVCOD
• NVCTE
• NVCUT
• NWSERVICE
• OFCPFWSVC
• OUTPOST
• ONLINENT
• OPSSVC
• OP_MON
• PAVFIRES
• PAVFNSVR
• PAVKRE
• PAVPROT
• PAVPROXY
• PAVPRSRV
• PAVSRV51
• PAVSS
• PCCGUIDE
• PCCIOMON
• PCCNTMON
• PCCPFW
• PCCTLCOM
• PCTAV
• PERSFW
• PERTSK
• PERVAC
• PESTPATROL
• PNMSRV
• PREVSRV
• PREVX
• PSIMSVC
• QUHLPSVC
• QHONLINE
• QHONSVC
• QHWSCSVC
• QHSET
• RFWMAIN
• RTVSCAN
• RTVSCN95
• SALITY
• SAPISSVC
• SCANWSCS
• SAVADMINSERVICE
• SAVMAIN
• SAVPROGRESS
• SAVSCAN
• SCANNINGPROCESS
• SDRA64
• SDHELP
• SHSTAT
• SITECLI
• SPBBCSVC
• SPHINX
• SPIDERCPL
• SPIDERML
• SPIDERNT
• SPIDERUI
• SPYBOTSD
• SPYXX
• SS3EDIT
• STOPSIGNAV
• SWAGENT
• SWDOCTOR
• SWNETSUP
• SYMLCSVC
• SYMPROXYSVC
• SYMSPORT
• SYMWSC
• SYNMGR
• TAUMON
• TBMON
• TMLISTEN
• TMNTSRV
• TMPROXY
• TNBUTIL
• TRJSCAN
• VBA32ECM
• VBA32IFS
• VBA32LDR
• VBA32PP3
• VBSNTW
• VCRMON
• VPTRAY
• VRFWSVC
• VRMONNT
• VRMONSVC
• VRRW32
• VSECOMR
• VSHWIN32
• VSMON
• VSSERV
• VSSTAT
• WATCHDOG
• WEBSCANX
• WINSSNOTIFY
• WRCTRL
• XCOMMSVR
• ZLCLIENT
• ZONEALARM
• Processes with the following loaded modules:
  • DWEBLLIO
  • DWEBIO

Download Routine

This Virus connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}dovertime.com/nb4?{Random Numbers} → as of this writing, the said site is inaccessible
• http://{BLOCKED}ucket.biz/nv4?{Random Numbers}

It saves the files it downloads using the following names:

• %User Temp%\{Random Characters 2}.exe or %User Temp%\win{Random Characters 2}.exe → detected as Trojan.Win32.CLIPPER.VSNW14B25, deleted afterwards

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Information Theft

This Virus does not have any information-stealing capability.

Other Details

This Virus connects to the following website to send and receive information:

• 0.0.0.0:{Random Port}
• 94.76.{BLOCKED}.{BLOCKED}:{BLOCKED}

It does the following:

• It adds and runs the following services:
  • Service Name: amsint32
    Image Path = %System%\drivers\{6 Random Characters}.sys
  • Service Name: IpFilterDriver
    Image Path = %System%\drivers\ipfltdrv.sys
• It infects .exe files discovered under the following registry keys:
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • In HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell\MuiCache
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It does not exploit any vulnerability.