W32/Tupym-C exhibits the following characteristics:
File Information
- Size
- 877K
- SHA-1
- eec2eb7dd84afe0fa352b68d8a10aa3e54ca1946
- MD5
- 1ba2081d6d63c53ee943c4dbb2e55567
- CRC-32
- 63f9b944
- File type
- application/x-ms-dos-executable
- First seen
- 2011-06-14
Other vendor detection
- Kaspersky
- Worm.Win32.AutoRun.fnc
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\system3_.exe
- C:\WINDOWS\system3_.exe
Dropped Files
- C:\WINDOWS\system32\autorun.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Yahoo Messengger
- C:\WINDOWS\system32\system3_.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NofolderOptions
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
Registry Keys Modified
- HKCU\Software\Microsoft\Internet Explorer\Main
- Start Page
- http://www.mydreamworld.50webs.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe system3_.exe
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
- Search Page
- http://www.mydreamworld.50webs.com
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://h1.ripway.com/asdb000/setting.ini
- http://h1.ripway.com/asdb002/setting.ini
- http://h1.ripway.com/asdb004/setting.ini
- http://h1.ripway.com/asdb006/setting.ini
- http://www.balu000.0catch.com/set/setting.ini
- http://www.balu001.0catch.com/set/setting.ini
- http://www.balu002.0catch.com/set/setting.ini
- http://www.balu003.0catch.com/set/setting.ini
DNS Requests
- h1.ripway.com
- www.balu000.0catch.com
- www.balu001.0catch.com
- www.balu002.0catch.com
- www.balu003.0catch.com