Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm.detnat Analysis Report
Threat Submitted On: 9/19/2008 11:47:00 PM
Threat Analysed On: 9/20/2008 4:47:00 AM
Threat Updated On: 1/28/2011 7:37:52 AM
Type : Worm
Symptoms of detnat
  • Replicates itself and spreads to the other computers of the network.
  • Installed by executing the scripts from infected e-mail attachments or messages.
Information
Alias : worm.win32.detnat.f
Md5 Hash : [1bb6bac0eb308c20b02fdeeb3c6690ad]
File Size : (66179 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: normal.exe
Path : %allusersprofile%\application data

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: newsid.exe
Path : %homepath%\desktop

Md5Hash :1b7428a3ee6a77249c931c4b05d9cc71 ( 228152 bytes)
File: 3f328d388dee95bd952eb6f80298e985.exe
Path : %networkpath%

Md5Hash :( bytes)
File: cepsetup.exe
Path : %networkpath%

Md5Hash :13d1540710189f54a6416a1009744391 ( 155396 bytes)
File: chklnks.exe
Path : %networkpath%

Md5Hash :ef4b2f4648b0b7ec6d35bcacc86cb107 ( 364032 bytes)
File: cleanspl.exe
Path : %networkpath%

Md5Hash :d1b89c8c2e9fd62b3e1ed07b07175411 ( 93696 bytes)
File: clusterrecovery.exe
Path : %networkpath%

Md5Hash :6d323356d8f8af980e010e6c04d076b2 ( 155648 bytes)
File: conf.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
33fbf4ef2cfe8339b8dcbc20b080fe4b ( 1032192 bytes)
5e19d8e13027fafd0a39e7abbc155bd8 ( 1032192 bytes)
File: dialer.exe
Path : %networkpath%

Md5Hash :dd252950a85d8c218f73decf9e28417e ( 539136 bytes)
File: dir2file.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
be614b9ed783914493d15ea1ed195741 ( 96516 bytes)
d6979b32d86e33feb98079bbbb61834e ( 67844 bytes)
File: dw20.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
118226a93f5b39dd6b9dcc3f26eb0fa0 ( 631488 bytes)
90e956a6704a54430b1d8b58d077c46a ( 631488 bytes)
File: dwtrig20.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1a43603995416295ad9a1045ebf7c840 ( 50380 bytes)
ac9c01a306d07c3a1f2f5d56a0eda0c3 ( 79083 bytes)
File: eventcombmt.exe
Path : %networkpath%

Md5Hash :9849992c300e79009fcf90b5d7609224 ( 115712 bytes)
File: fcsetup.exe
Path : %networkpath%

Md5Hash :6cf8f4627c46ca5e71b886f0d287766e ( 211204 bytes)
File: gpmonitor.exe
Path : %networkpath%

Md5Hash :cef4612aac20024896921afb71cadfd4 ( 1126148 bytes)
File: hypertrm.exe
Path : %networkpath%

Md5Hash :fff19b3f104556ec5b331372ac30bc55 ( 50436 bytes)
File: icwconn1.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
81f73fa1fc01cf7909734255b42987df ( 214528 bytes)
d7a74e51630435daa2e997adc703c606 ( 214528 bytes)
File: icwconn2.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
7398f9fd3a99391f1305063a0c6fbfd9 ( 86016 bytes)
a267df8aa4812bd1f41b2f64928faff3 ( 96964 bytes)
File: icwrmind.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
4017a59bb0a68fceadae2e44e1346c5e ( 65032 bytes)
c0e24899a9ad6dcb0ac233b21b0019d0 ( 36329 bytes)
File: icwtutor.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
3d9253b3c47aacfd752dbb94133dcb78 ( 100129 bytes)
b47dc2d4cb9299c97f6a9b5dfe010d46 ( 73728 bytes)
File: iedw.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
e004e83f815539f8eef620ea7bbbd60b ( 39870 bytes)
e1c65c2b85c953e6ce4aa711fecba8ff ( 68573 bytes)
File: inetwiz.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
4f16ef08cba6824a75c368afd4258602 ( 65284 bytes)
68d87b5418b7074f7a04b10cc4d8ff29 ( 36100 bytes)
File: isignup.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
4f89fa110e8218af7ac95728cc6ebe41 ( 62212 bytes)
b3ef33a4a1410bc169369938e2579e0b ( 33540 bytes)
File: migrate.exe
Path : %networkpath%

Md5Hash :0f6f4847925e01761c3e4984ecebc1c9 ( 786432 bytes)
File: msimn.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
11e5cb2d8289cf6aff479e7b6bd9a9ed ( 82692 bytes)
920a3910551ff50cbe02c45d8100a1f6 ( 60416 bytes)
File: msinfo32.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
ae0f3cb84a5179fb15c44ad5c71e0551 ( 54020 bytes)
b24784b81520814be98ba5dc63a0d657 ( 82692 bytes)
File: newsid.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
a0565e3b9e84510c653c926d7ce7ebf4 ( 228152 bytes)
cf8ce6e2b8dd4f716622625878b693cb ( 228152 bytes)
File: oemig50.exe
Path : %networkpath%

Md5Hash :ca6e7aa5dc9ed5309d8027c3f14bb7c8 ( 65092 bytes)
File: sapisvr.exe
Path : %networkpath%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
57d501a8bbb0d6e9f46cdf2b2e1a3d6f ( 45380 bytes)
6afa9761a42fc29a8641ec7c83e393c4 ( 74083 bytes)
File: setup_wm.exe
Path : %networkpath%

Md5Hash :80f79744eb9495b70c8b390d57006f61 ( 774144 bytes)
File: setup50.exe
Path : %networkpath%

Md5Hash :66f6d079caab4762e68deb2931246a18 ( 73216 bytes)
File: wab.exe
Path : %networkpath%

Md5Hash :10f1be0b938215248012cac3cde6c8cc ( 55556 bytes)
File: wabmig.exe
Path : %networkpath%

Md5Hash :56cbd0907003480427e82883bcf9b3ec ( 46852 bytes)
File: wmplayer.exe
Path : %networkpath%

Md5Hash :2b2ec6a8b43d88f27e5ce303d912dc3b ( 73728 bytes)
File: wmsetsdk.exe
Path : %networkpath%

Md5Hash :83cd8af7af2783e534501b9107bb848d ( 819200 bytes)
File: wordpad.exe
Path : %networkpath%

Md5Hash :6b6d62ea68e0875de3b06ab1f6d16cd1 ( 214528 bytes)
File: sxe4.tmp
Path : %workingdir%

Md5Hash :ec8c9bb8175b5b298ab2d1c1e3590d41 ( bytes)
File: svch0st.exe
Path : %systemdrive%\recycled

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
b8ec4c08ca4b450c7ffe2d63c65abf03 ( 60441 bytes)
e335159d62d0e88d185d912760c54097 ( 2057942 bytes)
File: vcab.dll
Path : %systemdrive%\temp

Md5Hash :7d70b1c5e212044b1990b941d1f33e0a ( 44544 bytes)
File: 1bb6bac0eb308c20b02fdeeb3c6690ad.exe
Path : %temp%

Md5Hash :0efa0a2aa9a5c9bae10990f3eb492a5e ( bytes)
File: 4.tmp
Path : %temp%

Md5Hash :27dbc18450627b09f4fb9bc1ad45ca2a ( 17920 bytes)
File: lsass.exe
Path : %temp%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: update.exe
Path : %temp%

Md5Hash :6e97f3fea53be5c007cdb6efac7be57b ( 55561 bytes)
File: vcab.dll
Path : %temp%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
5140fe342aaa15fb096c176109e5b523 ( 38400 bytes)
643379976e0f67d62b48a63cfb98278b ( 44032 bytes)
b18c756a8f46e51041f69545a1996545 ( 31232 bytes)
e06c985d215a73db3198223aa58c60e6 ( 31232 bytes)
File: vgod.dll
Path : %temp%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
4903695a18bd155c3da71c58387c685c ( 47104 bytes)
81d2cbc2d71b762f873a10b023d0b5a1 ( 31232 bytes)
edf3c5c38f10127a84aa289875314ce7 ( 30720 bytes)
File: services.exe
Path : %userprofile%\local settings\application data\antispyclone.task

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: exeserv.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: 3d soccer.scr
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: av-prev.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: controls.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: gqglt.sys
Path : %windir%\system32\drivers

Md5Hash :3ecc72712703b51f3cd4bcefe38ea758 ( 5477 bytes)
File: ex-plorer.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: exerun.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
File: msnmsgr.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0ec793ef3dd0f2d1af5469a7a2823b82 ( 240368 bytes)
10ac80a66b556913be990d3a73b8d98b ( 240366 bytes)
61b77296b017aadaf06f86c7bb633f7c ( 240368 bytes)
8f4a9e3f1d30cb29061e417012a162bf ( 240381 bytes)
a2bde8b1a7c19af91a4aabbada3e4f24 ( 240436 bytes)
File: voot.sys
Path : %windir%\system32

Md5Hash :fee6436da10c4c6b3a303c4d6903c07c ( bytes)
File: wmdrtc32.dl_
Path : %windir%\system32

Md5Hash :fed957eb1ba973775cf98404c51ddb91 ( 26066 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
073af186694b134d6ef5337219b60259 ( 77824 bytes)
09dd3d1ea2d4bb64a9679e485644a04d ( 286940 bytes)
0ec793ef3dd0f2d1af5469a7a2823b82 ( bytes)
10abe3313f71f85665d142ba5e635a6c ( 72444 bytes)
10ac80a66b556913be990d3a73b8d98b ( bytes)
1bb6bac0eb308c20b02fdeeb3c6690ad ( 66179 bytes)
1bcf148a3cb9582dc337b5571409e96e ( 176836 bytes)
205213683d04b53195faee6e8ad2cf0c ( 72376 bytes)
22b5042ef78a709bf7114a319d5a9769 ( 92553 bytes)
27de2e24ee136c9f1c0568b9c30cf18d ( 464540 bytes)
3940ce239e28e9cfd1cf968a6b10d210 ( 141367 bytes)
4133572789d02cbd74a6ffb113da2bb0 ( 120220 bytes)
423d7c5165f65cfcef947f415da6bdee ( 630803 bytes)
4bd5d59b8e86d7a1322a2c3ed0b91da1 ( 56559 bytes)
4cb68ad1310b7211b56b6115d7711475 ( 293868 bytes)
4ee7fdf31d9bdc844a09687fc75c47dc ( 72376 bytes)
529426a8b8d1188c32ca78a0c04b1c01 ( 1425947 bytes)
534fc5019b02662cd2da0c495f6e3d30 ( 65239 bytes)
587f30d1c300b93f68c39557f5d88d25 ( 45215 bytes)
5f175b59ebe5714653b259ab15755402 ( 81920 bytes)
61b77296b017aadaf06f86c7bb633f7c ( bytes)
6282087e7c258132386f221be1a53124 ( 535777 bytes)
66e94500a5c8743cf0b5486961c08c5a ( 65505 bytes)
723057bf00268f266974a898380e6b44 ( 1742427 bytes)
7d3320c03cdcd5f87fb98970001aa47e ( 756449 bytes)
8f4a9e3f1d30cb29061e417012a162bf ( bytes)
95c39d14428b04775441243a13da0250 ( 57344 bytes)
95e7047613a2ae9c1f4decaed468cb7f ( 195710 bytes)
9d9ededb02bb85657e9f8349549d7465 ( 126976 bytes)
a026fc1745cb259b61c29bc60c02526b ( 45213 bytes)
a0d492b3018007cbb663ed4d9b833c3b ( 61842 bytes)
a2bde8b1a7c19af91a4aabbada3e4f24 ( bytes)
a626a523fc217b89e183e4e0bee89c4e ( 146739 bytes)
b2b6a763cff547d6bd2c4f99ab2b02ab ( 790251 bytes)
b8e10a8a6e8a9fb05041be14f5514672 ( 72379 bytes)
c474e707f85fcbc8a0ec1d61b277eade ( 217829 bytes)
caa831f8acab9fe73b36caa9331a575b ( 72389 bytes)
cadac01bf9de61980f56632c30bb2aab ( 43403 bytes)
cc9c041567d61529fd6ee82b7fa4f5fb ( 219407 bytes)
ddecedacff976de54a96246fbf3d289d ( 72374 bytes)
dececd719a9eb9df661f2522031c27a1 ( 57836 bytes)
ed49d685edfd798a92a027d9beb673f7 ( 72379 bytes)
ed50def9d510cb8d440e8a30af6e7e95 ( 87046 bytes)
f6978f01ea3722599a9ad2a4d6d40822 ( 60471 bytes)
fceb7a4e07878f75f2d54c962216cfcc ( 2057940 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : dw20.exe
Path : %networkpath%

Md5Hash :78453c62ec9ea61524f4a3b0877731e3 ( 631488 bytes)
File : dwtrig20.exe
Path : %networkpath%

Md5Hash :34125f1ca24b978df64ad98a1a0121e6 ( 36040 bytes)
File : icwconn2.exe
Path : %networkpath%

Md5Hash :7448dd5c9860e02ee99f2dccdbc0a43e ( 86016 bytes)
File : iexplore.exe
Path : %networkpath%

Md5Hash :e7484514c0464642be7b4dc2689354c8 ( 93184 bytes)
File : sapisvr.exe
Path : %networkpath%

Md5Hash :81420500b4d35c6bda89d6b694972c31 ( 36864 bytes)
File : dw20.exe
Path : %programfiles%\common files\microsoft shared\dw

Md5Hash :934dfabbdf47b94899209b6b2419d37d ( 631488 bytes)
File : dwtrig20.exe
Path : %programfiles%\common files\microsoft shared\dw

Md5Hash :a5a94e10bb13494d8ece08385427b304 ( 73343 bytes)
File : msinfo32.exe
Path : %programfiles%\common files\microsoft shared\msinfo

Md5Hash :bda4ff4dc6640152d98928422bef7639 ( 76548 bytes)
File : sapisvr.exe
Path : %programfiles%\common files\microsoft shared\speech

Md5Hash :6ff261847b0d3a2670b501d7bdd3d866 ( 68343 bytes)
File : dir2file.exe
Path : %programfiles%\dir2file

Md5Hash :d287d4f27946ba9127710527bdf91bbb ( 90372 bytes)
File : iedw.exe
Path : %programfiles%\internet explorer

Md5Hash :bf6404c7e07341783feb7749a5a6c652 ( 62833 bytes)
File : conf.exe
Path : %programfiles%\netmeeting

Md5Hash :089db56227ea5bc93300a0a79fddea1f ( 1032192 bytes)
File : msimn.exe
Path : %programfiles%\outlook express

Md5Hash :43241f0c469729732804cff34c5bf3c1 ( 76548 bytes)
File : oemig50.exe
Path : %programfiles%\outlook express

Md5Hash :bfb5f1ee0f0ab4859c5fad9cdee8f0a0 ( 88132 bytes)
File : setup50.exe
Path : %programfiles%\outlook express

Md5Hash :42d7cf8ebce163b5f6d55f449a13d7d6 ( 87775 bytes)
File : wab.exe
Path : %programfiles%\outlook express

Md5Hash :2c6e1224c70602c683575f97328fc6ad ( 78596 bytes)
File : wabmig.exe
Path : %programfiles%\outlook express

Md5Hash :ea6b7781d9e1b9f1bc6a5a34d2110b79 ( 69892 bytes)
File : migrate.exe
Path : %programfiles%\windows media player

Md5Hash :cf7afc933155bfeeb323e48bbb1503f6 ( 786432 bytes)
File : setup_wm.exe
Path : %programfiles%\windows media player

Md5Hash :c7df5a0f034bff22f6b051381e19f10f ( 774144 bytes)
File : wmplayer.exe
Path : %programfiles%\windows media player

Md5Hash :68e46e5ab7b8a8023059403fa340cdd1 ( 87812 bytes)
File : wmsetsdk.exe
Path : %programfiles%\windows media player

Md5Hash :28fed717afa3a6c715a221fce2473481 ( 819200 bytes)
File : wordpad.exe
Path : %programfiles%\windows nt\accessories

Md5Hash :483d742fcc160a0288cfa06ea1fddf4f ( 214528 bytes)
File : dialer.exe
Path : %programfiles%\windows nt

Md5Hash :a391b51be65faabf607de910e458b166 ( 539136 bytes)
File : hypertrm.exe
Path : %programfiles%\windows nt

Md5Hash :e073b9d886d8c1baf969e709b1c2648d ( 72964 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
msn = "msnmsgr.exe"
|__ Value Added :
msn = "msnmsgr.exe"
|__ Value Added :
runonce = "%windir%\system32\runouce.exe"
Creates the following child process(s) on execution:

%systemdrive%\docume~1\antisp~1\locals~1\temp\1bb6bac0eb308c20b02fdeeb3c6690ad.exe %workingdir%\[random name].exe /silent /s /s /qn /sp- /passive -s -s

services.exe

Creates the Following MUTEX(s) on user's System:-
raspbfile
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
211.239.120.111/bbs/img/bbs.wos
Http_Version :http/1.1
218.234.18.150/dacom/images/pop.wos

NOTE:

1. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
2. %homepath% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
3. %networkpath% Refers to the any network location on Local Area Network(LAN).
4. %workingdir% Refers to the current directory in which user is working.
5. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
6. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
7. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
8. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
9. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.