Allaple.B_11 is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Allaple.B_11 is compressed using the executable packer and its file size is 63,488 bytes. It uses the network connection: - Sends a ping request (ICMP.DLL) to 217.177. 6. 4.
- Sends data stream (76 bytes) to remote address "217.177.6.4", port 139.
- Connects to "217.177.6.4" on port 445 (TCP).
- Sends a ping request (ICMP.DLL) to 217.177. 8. 6.
- Sends data stream (76 bytes) to remote address "217.177.8.6", port 139.
- Connects to "217.177.8.6" on port 445 (TCP).
- Sends a ping request (ICMP.DLL) to 217.177. 10. 8.
- Sends data stream (76 bytes) to remote address "217.177.10.8", port 139.
- Connects to "217.177.10.8" on port 445 (TCP).
- Sends a ping request (ICMP.DLL) to 217.177. 12. 10.
- Sends data stream (76 bytes) to remote address "217.177.12.10", port 139.
- Connects to "217.177.12.10" on port 445 (TCP).
Allaple.B_11 drops the following files on the hard drive: - C:\kjlswwse.exe (63488 bytes)
It also changes Windows registry: - Creates key "HKCR\CLSID\{4B1C1060-F0EB-0539-3C7E-3C28618388C1}".
- Creates value "default"="rbnrhkbnrklxkrbn" in key "HKCR\CLSID\{4B1C1060-F0EB-0539-3C7E-3C28618388C1}".
- Creates key "HKCR\CLSID\{4B1C1060-F0EB-0539-3C7E-3C28618388C1}\LocalServer32".
- Creates value "default"="C:\sample.exe" in key "HKCR\CLSID\{4B1C1060-F0EB-0539-3C7E-3C28618388C1}\LocalServer32".
- Creates key "HKCR\CLSID\{A16B418C-0A5C-BA7E-2DD8-05C640206864}".
- Creates value "default"="wbtnerenjclssvwh" in key "HKCR\CLSID\{A16B418C-0A5C-BA7E-2DD8-05C640206864}".
- Creates key "HKCR\CLSID\{A16B418C-0A5C-BA7E-2DD8-05C640206864}\LocalServer32".
- Creates value "default"="C:\kjlswwse.exe" in key "HKCR\CLSID\{A16B418C-0A5C-BA7E-2DD8-05C640206864}\LocalServer32".
It creates the following mutex to ensure only one instance is running: jhdheruhfrthkgjhtjkghjk5trh. |
