Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.bat'
Malicious functions:
Executes the following:
- <SYSTEM32>\cmd.exe /c _dcp.bat
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\ccl[1].txt
- <SYSTEM32>\url.txt
- <SYSTEM32>\ccl.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\$[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\url[1].php
- <SYSTEM32>\userinit.bat
- <SYSTEM32>\userinits.exe
- <Current directory>\_dcp.bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\url[1].txt
- <SYSTEM32>\wupcltr.exe
Network activity:
Connects to:
- '$.###aldomain':80
- 'p2##56.cn':80
- 'localhost':1034
TCP:
HTTP GET requests:
- p2##56.cn/user003/url.php?ur#######################################################
- $.###aldomain/
- p2##56.cn/url.txt
- p2##56.cn/ccl.txt
UDP:
- DNS ASK $.###aldomain
- DNS ASK p2##56.cn
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'ABCDEFwwe' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
