wacult.exe - Dangerous
wacult.exe
Manual removal instructions:
Antivirus Report of wacult.exe:
wacult.exe
We suggest you to remove wacult.exe from your computer as soon as possible.
Wacult.exe is Trojan/Backdoor.
Kill the process wacult.exe and remove wacult.exe from Windows startup.
File: ddos.exe (C:\sand-box\ddos.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.14 Unix:Malware-gen
AVG 8.5.0.406 2009.08.15 Generic13.QFH
BitDefender 7.2 2009.08.15 IRC-Worm.Generic.5575
Comodo 1964 2009.08.14 Backdoor.IRC.Kelebek.NAA
DrWeb 5.0.0.12182 2009.08.15 BackDoor.IRC.based
F-Secure 8.0.14470.0 2009.08.15 Client-IRC.Win32.mIRC.602
Kaspersky 7.0.0.125 2009.08.15 not-a-virus:Client-IRC.Win32.mIRC.602
Microsoft 1.4903 2009.08.15 Backdoor:Win32/Kirsun.A
NOD32 4337 2009.08.15 IRC/Flood.NAE
Symantec 1.4.4.12 2009.08.15 Backdoor.Trojan
Additional information
File size: 670789 bytes
MD5 : 48c78960fbed11a90810c57c8fafec6a
SHA1 : 91710d954b0e3287fa27673a6af44dd64e571f92
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
-------------------------------------------------------------------------------------
Internet activity:
----------------------------------
Keys added:24
----------------------------------
HKLM\SOFTWARE\Classes\.cha
HKLM\SOFTWARE\Classes\.chat
HKLM\SOFTWARE\Classes\ChatFile
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
HKLM\SOFTWARE\Classes\ChatFile\Shell
HKLM\SOFTWARE\Classes\ChatFile\Shell\open
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Classes\irc
HKLM\SOFTWARE\Classes\irc\DefaultIcon
HKLM\SOFTWARE\Classes\irc\Shell
HKLM\SOFTWARE\Classes\irc\Shell\open
HKLM\SOFTWARE\Classes\irc\Shell\open\command
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\ms32
HKCU\Software\ms32\DateUsed
----------------------------------
Values added:44
----------------------------------
HKLM\SOFTWARE\Classes\.cha\: "ChatFile"
HKLM\SOFTWARE\Classes\.chat\: "ChatFile"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\: "mIRC"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command\: ""c:\WINDOWS\System32\wacult.exe" -noconnect"
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon\: ""c:\WINDOWS\System32\wacult.exe""
HKLM\SOFTWARE\Classes\ChatFile\: "Chat File"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\: "mIRC"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\command\: ""c:\WINDOWS\System32\wacult.exe" -noconnect"
HKLM\SOFTWARE\Classes\irc\DefaultIcon\: ""c:\WINDOWS\System32\wacult.exe""
HKLM\SOFTWARE\Classes\irc\: "URL:IRC Protocol"
HKLM\SOFTWARE\Classes\irc\EditFlags: 02 00 00 00
HKLM\SOFTWARE\Classes\irc\URL Protocol: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinXPService: "c:\WINDOWS\System32\wacult.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32\DisplayName: "ms32"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32\UninstallString: ""c:\WINDOWS\System32\wacult.exe" -uninstall"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wacult.exe: "C:\WINDOWS\system32\wacult.exe:*:Disabled:mIRC"
HKCU\Software\Microsoft\Microsoft Agent\VoiceEnabled: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseVoiceTips: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\KeyHoldHotKey: 0x00000091
HKCU\Software\Microsoft\Microsoft Agent\UseBeepSRPrompt: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SRTimerDelay: 0x000007D0
HKCU\Software\Microsoft\Microsoft Agent\SRModeID: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Microsoft Agent\EnableSpeaking: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseBalloon: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseCharacterFont: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseSoundEffects: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SpeakingSpeed: 0x00000005
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetX: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetY: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetWidth: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetHeight: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetPage: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLeft: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowTop: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowWidth: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowHeight: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLocationSet: 0x00000000
HKCU\Software\ms32\DateUsed\: "1250506358"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:6
----------------------------------
C:\WINDOWS\system32\edih.dll
C:\WINDOWS\system32\ms32.sys
C:\WINDOWS\system32\remote.ini
C:\WINDOWS\system32\system32\msconfg.dll
C:\WINDOWS\system32\system32\Systemx.dll
C:\WINDOWS\system32\wacult.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:1
----------------------------------
C:\WINDOWS\system32\system32
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:75
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: vmtest
Author:
Related File: C:\sand-box\files\wacult.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
wacult.exe | Malware |
wacult.exe | Dangerous |
wacult.exe | High Risk |
Wacult.exe is Trojan/Backdoor.
Kill the process wacult.exe and remove wacult.exe from Windows startup.
File: ddos.exe (C:\sand-box\ddos.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.14 Unix:Malware-gen
AVG 8.5.0.406 2009.08.15 Generic13.QFH
BitDefender 7.2 2009.08.15 IRC-Worm.Generic.5575
Comodo 1964 2009.08.14 Backdoor.IRC.Kelebek.NAA
DrWeb 5.0.0.12182 2009.08.15 BackDoor.IRC.based
F-Secure 8.0.14470.0 2009.08.15 Client-IRC.Win32.mIRC.602
Kaspersky 7.0.0.125 2009.08.15 not-a-virus:Client-IRC.Win32.mIRC.602
Microsoft 1.4903 2009.08.15 Backdoor:Win32/Kirsun.A
NOD32 4337 2009.08.15 IRC/Flood.NAE
Symantec 1.4.4.12 2009.08.15 Backdoor.Trojan
Additional information
File size: 670789 bytes
MD5 : 48c78960fbed11a90810c57c8fafec6a
SHA1 : 91710d954b0e3287fa27673a6af44dd64e571f92
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
-------------------------------------------------------------------------------------
Internet activity:
----------------------------------
Keys added:24
----------------------------------
HKLM\SOFTWARE\Classes\.cha
HKLM\SOFTWARE\Classes\.chat
HKLM\SOFTWARE\Classes\ChatFile
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
HKLM\SOFTWARE\Classes\ChatFile\Shell
HKLM\SOFTWARE\Classes\ChatFile\Shell\open
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Classes\irc
HKLM\SOFTWARE\Classes\irc\DefaultIcon
HKLM\SOFTWARE\Classes\irc\Shell
HKLM\SOFTWARE\Classes\irc\Shell\open
HKLM\SOFTWARE\Classes\irc\Shell\open\command
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\ms32
HKCU\Software\ms32\DateUsed
----------------------------------
Values added:44
----------------------------------
HKLM\SOFTWARE\Classes\.cha\: "ChatFile"
HKLM\SOFTWARE\Classes\.chat\: "ChatFile"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\: "mIRC"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command\: ""c:\WINDOWS\System32\wacult.exe" -noconnect"
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon\: ""c:\WINDOWS\System32\wacult.exe""
HKLM\SOFTWARE\Classes\ChatFile\: "Chat File"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\: "mIRC"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\command\: ""c:\WINDOWS\System32\wacult.exe" -noconnect"
HKLM\SOFTWARE\Classes\irc\DefaultIcon\: ""c:\WINDOWS\System32\wacult.exe""
HKLM\SOFTWARE\Classes\irc\: "URL:IRC Protocol"
HKLM\SOFTWARE\Classes\irc\EditFlags: 02 00 00 00
HKLM\SOFTWARE\Classes\irc\URL Protocol: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinXPService: "c:\WINDOWS\System32\wacult.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32\DisplayName: "ms32"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms32\UninstallString: ""c:\WINDOWS\System32\wacult.exe" -uninstall"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\wacult.exe: "C:\WINDOWS\system32\wacult.exe:*:Disabled:mIRC"
HKCU\Software\Microsoft\Microsoft Agent\VoiceEnabled: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseVoiceTips: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\KeyHoldHotKey: 0x00000091
HKCU\Software\Microsoft\Microsoft Agent\UseBeepSRPrompt: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SRTimerDelay: 0x000007D0
HKCU\Software\Microsoft\Microsoft Agent\SRModeID: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Microsoft Agent\EnableSpeaking: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseBalloon: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseCharacterFont: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseSoundEffects: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SpeakingSpeed: 0x00000005
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetX: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetY: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetWidth: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetHeight: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetPage: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLeft: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowTop: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowWidth: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowHeight: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLocationSet: 0x00000000
HKCU\Software\ms32\DateUsed\: "1250506358"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:6
----------------------------------
C:\WINDOWS\system32\edih.dll
C:\WINDOWS\system32\ms32.sys
C:\WINDOWS\system32\remote.ini
C:\WINDOWS\system32\system32\msconfg.dll
C:\WINDOWS\system32\system32\Systemx.dll
C:\WINDOWS\system32\wacult.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:1
----------------------------------
C:\WINDOWS\system32\system32
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:75
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: vmtest
Author:
Related File: C:\sand-box\files\wacult.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.