Method of Spreading:Attempts to load and execute remote code in explorer process. Modifies Windows security Center settings. Attempts to load and execute remote code in a system process. Adds or modifies system policies. Could be used to prevent the or detour the use of common system tools.Attempts to write to a memory location of a protected process. Attempts to write instructions that detour an existing code path of a previously loaded process.Attempts to write to a memory location of a Windows system process.
Attempts to write to a memory location of a Windows system process.Attempts to write to a memory location where winlogon resides. Modifies Windows explorer file browser's Advanced settings.
Attempts to load and execute remote code in a previously loaded process. Sometimes used by malware to make executable files look like documents. Attempts to write to a memory location of a previously loaded process.Modifies Windows firewall settings.Enumerates many system files and directories.Enumerates process list. Process attempts to call itself recursively. Attempts to write to a memory location of an unknown process. No digital signature is present
Attempts to write to a memory location of a Windows system process.Attempts to write to a memory location where winlogon resides. Modifies Windows explorer file browser's Advanced settings.
Attempts to load and execute remote code in a previously loaded process. Sometimes used by malware to make executable files look like documents. Attempts to write to a memory location of a previously loaded process.Modifies Windows firewall settings.Enumerates many system files and directories.Enumerates process list. Process attempts to call itself recursively. Attempts to write to a memory location of an unknown process. No digital signature is present
The Following Files were modified:
%Windir%/system.ini
%system%\cmd.exe
%system%\mmc.exe
%system%\taskmgr.exe
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Alias:W32.Sality.AE,Virus.Win32.Sality.ag,BackDoor-CEP.gen.au,
Mal/Sality-D,Virus:Win32/Sality.AT,Constructor.Win32.Bifrose,
Win32/Kashu.E
%system%\cmd.exe
%system%\mmc.exe
%system%\taskmgr.exe
This file infector drops copies of itself in all removable and physical drives found in the system.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun];
{garbage characters}
shELl\EXplOrE\cOmMand= {random file name}.exe;
{garbage characters}
sheLL\OPen\cOMMaND= {random file name}.exe;
{garbage characters}
shEll\open\DefAuLt=1;
{garbage characters}
OPen= {random file name}.exe;
{garbage characters}
shelL\aUToPLAy\command = {random file name}.exe
Notes:
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun];
{garbage characters}
shELl\EXplOrE\cOmMand= {random file name}.exe;
{garbage characters}
sheLL\OPen\cOMMaND= {random file name}.exe;
{garbage characters}
shEll\open\DefAuLt=1;
{garbage characters}
OPen= {random file name}.exe;
{garbage characters}
shelL\aUToPLAy\command = {random file name}.exe
Notes:
Risk Level : High
Alias:W32.Sality.AE,Virus.Win32.Sality.ag,BackDoor-CEP.gen.au,
Mal/Sality-D,Virus:Win32/Sality.AT,Constructor.Win32.Bifrose,
Win32/Kashu.E
The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Enum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\Software\Apcrmkeh
HKEY_CURRENT_USER\Software\Apcrmkeh\-72398023
The following Registry Keys were deleted:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Enum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\Software\Apcrmkeh
HKEY_CURRENT_USER\Software\Apcrmkeh\-72398023
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender
The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- UacDisableNotify = 0x00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
- AntiVirusOverride = 0x00000001
- AntiVirusDisableNotify = 0x00000001
- FirewallDisableNotify = 0x00000001
- FirewallOverride = 0x00000001
- UpdatesDisableNotify = 0x00000001
- UacDisableNotify = 0x00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
- EnableLUA = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000\Control]
- *NewlyCreated* = 0x00000000
- ActiveService = "amsint32"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32\0000]
- Service = "amsint32"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "amsint32"
- Capabilities = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_AMSINT32]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control]
- *NewlyCreated* = 0x00000000
- ActiveService = "IpFilterDriver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000]
- Service = "IpFilterDriver"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "IP Traffic Filter Driver"
- Capabilities = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Enum]
- 0 = "Root\LEGACY_AMSINT32\0000"
- Count = 0x00000001
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32\Security]
- Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\amsint32]
- Type = 0x00000001
- Start = 0x00000003
- ErrorControl = 0x00000001
- ImagePath = "%System%\drivers\qfhln.sys"
- DisplayName = "amsint32"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32\0000\Control]
- *NewlyCreated* = 0x00000000
- ActiveService = "amsint32"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32\0000]
- Service = "amsint32"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "amsint32"
- Capabilities = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control]
- *NewlyCreated* = 0x00000000
- ActiveService = "IpFilterDriver"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000]
- Service = "IpFilterDriver"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "IP Traffic Filter Driver"
- Capabilities = 0x00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER]
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Enum]
- 0 = "Root\LEGACY_AMSINT32\0000"
- Count = 0x00000001
- NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32\Security]
- Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32]
- Type = 0x00000001
- Start = 0x00000003
- ErrorControl = 0x00000001
- ImagePath = "%System%\drivers\qfhln.sys"
- DisplayName = "amsint32"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]
- DisableTaskMgr = 0x00000001
- DisableRegistryTools = 0x00000001
- [HKEY_CURRENT_USER\Software\Apcrmkeh\-72398023]
- 1919251285 = 0x0000001C
- -456464726 = 0x00000000
- 1462786559 = 0x00000000
- -912929452 = 0x00000023
- 1006321833 = 0x00000163
- -1369394178 = "0800687474703A2F2F7361676F637567656E632E73612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F7777772E656C656F6E7563636F72696E692E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F7777772E636974796F66616E67656C736D6167617A6
- 549857107 = "7A5801D0D76D75490FD5721AE6FECE55191F6924D0D1166E78F0AB577F4515BCCDA5108DE53FAE9EAE23480E85CEF9F5B358E2C7E6FE1A9E655C9D08F099653B9F3E8B4F64D703A069CBABBA6B2B21889D31FAD328C89E9C4A66C848713AC870CB2E7DDB0514C2560FC16A6F0F624BA903D6ADD5C42F55E3234006F32
- [HKEY_CURRENT_USER\Software\Apcrmkeh]
- U1_0 = 0xCC96283A
- U2_0 = 0x0000158D
- U3_0 = 0x01036A29
- U4_0 = 0x00000000
to disable notification of firewall, antivirus and/or update status through the Windows Security Center
to prevent users from starting Task Manager (Taskmgr.exe)
to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
- AlternateShell = "cmd.exe"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
- (Default) = "Human Interface Devices"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
- (Default) = "Volume"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Floppy disk drive"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
- (Default) = "System"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
- (Default) = "SCSIAdapter"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
- (Default) = "PCMCIA Adapters"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Mouse"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Keyboard"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Hdc"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Standard floppy disk controller"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- (Default) = "DiskDrive"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
- (Default) = "CD-ROM Drive"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
- (Default) = "Universal Serial Bus controllers"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys]
- (Default) = "FSFilter System Recovery"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
- (Default) = "Human Interface Devices"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
- (Default) = "Volume"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Floppy disk drive"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
- (Default) = "System"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
- (Default) = "SCSIAdapter"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
- (Default) = "PCMCIA Adapters"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
- (Default) = "NetTrans"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
- (Default) = "NetService"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
- (Default) = "NetClient"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Net"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Mouse"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Keyboard"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Hdc"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
- (Default) = "Standard floppy disk controller"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- (Default) = "DiskDrive"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
- (Default) = "CD-ROM Drive"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
- (Default) = "Universal Serial Bus controllers"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVC]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinMgmt]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\vgasave.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\vga.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdtcp.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdpipe.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDI]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Tcpip]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys]
- (Default) = "FSFilter System Recovery"
- [[pathname with a string SHARE]\SharedAccess]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys]
- (Default) = "Driver"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio]
- (Default) = "Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper]
- (Default) = "Driver Group"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS]
- (Default) = "Driver Group"
The following Registry Value was modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]- AntiVirusOverride =
- FirewallOverride =
I have removed this Amsint32 Virus completely without any antivirus.
Please contact for removal instruction without any antivirus.
No comments:
Post a Comment