Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'scfpwb' = '%APPDATA%\b2l0zj6.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\2649403024] 'Name' = '"%TEMP%\5.tmp"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Sxikihuvuw' = 'rundll32.exe "%WINDIR%\rfgsxe.dll",Startup'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\MouseDriver] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- %APPDATA%\b2l0zj6.exe -d9C8FB258A364E43BD8290423D7930D0852C7FC8C0260935AE38F1B6D6FB92A42C6BAC0DDD4A83F61FC88FA55D4EA765EEE2D9B73C863570B556C8EF2BFC04436571E6AC5C3CBAF43F2B346015EA589839EA9CF835DECFEFE2E9C99F1D4205FD9F8AFB3A1637D60D035F37E29B77483D6AA17BF8C5308D4E388AAF2BC90EED7159284E148E2A0BF6B7D4C76255E9AE0649C71CECE79786728BD268ED113CD49A14D287A07B4D27955C394441E158B5EF53C57A112E2C0843D636EA22DBE86927194EB425087CA7C8741313BA1DC4DF9BC942A1F5ADD9038B456B5A33332F4CE190FB33E324FFDF3426F6EF362F63CEFACECD96A43FD8ECF7BAD1D46CE51AA5C37A749B3193BB34EFA06E13E02E2ABBC7ACE6EEAD3113ED74CC2F580C83B96D8E284C826D1BDF6370AFFC1334C627C1EF202D442F82CAE1D2C2D1E85F2522B1F6D115F5C2685619D229382276A77B611F6919A58189E1BAE52C960CCA635D14E36F6935B46859BAC073BE9AEF262B4D3B4C56A5038F8ABD6E5AC57081CC848C2791B3467D0ED81D123B1C79D10A451E059273990D10BE1234E32F730A329E318E0AB2304B82F8DB9E8ED780976FD22F6337E08BD63E8A4628FF2C577C2BBC92D3B0DA3F9CBFB735274288548F870FC116ED63EBBC0E093A00EC7C753ED1EF41E0BEC164AAD4386C817DBF4EF503CD26F277611B0F885322991C72479B2332B471A2FF63DD738F88857
- "%TEMP%\yyaik.exe" (downloaded from the Internet)
- "%TEMP%\jaognl.exe" (downloaded from the Internet)
- "%TEMP%\bkfj.exe" (downloaded from the Internet)
- "%TEMP%\vpywo.exe" (downloaded from the Internet)
- "%TEMP%\ywowu.exe" (downloaded from the Internet)
- "%TEMP%\fpcf.exe" (downloaded from the Internet)
- "%TEMP%\vjbf.exe" (downloaded from the Internet)
- "%TEMP%\ivotm.exe" (downloaded from the Internet)
- "%TEMP%\750234914" (downloaded from the Internet)
- "%TEMP%\msmfuu.exe" (downloaded from the Internet)
- "%TEMP%\rjjpwxgp.exe" (downloaded from the Internet)
- "%TEMP%\qxghu.exe" (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\runonce.exe -r
- <SYSTEM32>\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 %APPDATA%\mdinstall.inf
- <SYSTEM32>\net1.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
- <SYSTEM32>\rundll32.exe "%WINDIR%\rfgsxe.dll",iep
- <SYSTEM32>\grpconv.exe -o
- <SYSTEM32>\cmd.exe /c "%APPDATA%\meslfpwk.bat"
- <SYSTEM32>\net1.exe stop "Security Center"
- <SYSTEM32>\net.exe stop "Security Center"
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\rundll32.exe "%WINDIR%\rfgsxe.dll",Startup
- <SYSTEM32>\sc.exe config SharedAccess start= DISABLED
- <SYSTEM32>\net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
- <SYSTEM32>\sc.exe config wscsvc start= DISABLED
Injects code into
the following system processes:
- <SYSTEM32>\spoolsv.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A10' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '{AEBA21FA-782A-4A90-978D-B72164C80120}' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '{A8A88C49-5EB2-4990-A1A2-0876022C854F}' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
Modifies file system :
Creates the following files:
- %APPDATA%\MouseDriver.bat
- %TEMP%\jaognl.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\yyaik.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\aeztbmubn[1].php
- %TEMP%\qxghu.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\xxszuc[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\rhlxrztbz[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\yckrzu[1].php
- %TEMP%\bkfj.exe
- %APPDATA%\meslfpwk.bat
- %TEMP%\vpywo.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\xofmhs[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\cgkfzdywr[1].php
- %WINDIR%\etevuyubozidi.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\CASHY7KP.php
- %TEMP%\fpcf.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ndhpjrck[1].php
- %TEMP%\Rlb..bat
- %TEMP%\ywowu.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\nezgbiub[1].php
- %TEMP%\nsf3.tmp\5tbp.exe
- %TEMP%\nsf3.tmp\4IR.exe
- %WINDIR%\rfgsxe.dll
- %WINDIR%\Temp\6.tmp
- %TEMP%\4.tmp
- %TEMP%\nsf3.tmp\bogamdl.exe
- %TEMP%\nsj2.tmp
- %TEMP%\nsf3.tmp\1EuroP.exe
- %TEMP%\nsf3.tmp\3IC.exe
- %TEMP%\nsf3.tmp\2E4U - Bucks.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\znucw[1].php
- %TEMP%\vjbf.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\luckrmksmy[1].php
- %APPDATA%\b2l0zj6.exe
- %TEMP%\rjjpwxgp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\evdxsql[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\sgnicbidbj[1].php
- %TEMP%\750234914
- %TEMP%\msmfuu.exe
- %TEMP%\ivotm.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\yptgomubw[1].php
Sets the 'hidden' attribute to the following files:
- %APPDATA%\MouseDriver.bat
Deletes the following files:
- <DRIVERS>\etc\hosts
- %TEMP%\5.tmp
- %WINDIR%\Temp\6.tmp
- <SYSTEM32>\svchost.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\nsf3.tmp\bogamdl.exe
- %TEMP%\nsf3.tmp\2E4U - Bucks.exe
- %TEMP%\nsf3.tmp\1EuroP.exe
- %TEMP%\nsf3.tmp\3IC.exe
- %TEMP%\nsf3.tmp\5tbp.exe
- %TEMP%\nsf3.tmp\4IR.exe
Network activity:
Connects to:
- 'localhost':1040
- '16#####b0714.meetri.net':80
- '5c#t.in':80
- 'aa###tel.com':80
TCP:
HTTP GET requests:
- aa###tel.com/heiqks/ndhpjrck.php?ad################################
- aa###tel.com/heiqks/aeztbmubn.php?ad################################
- aa###tel.com/heiqks/yckrzu.php?ad################################
- aa###tel.com/heiqks/cgkfzdywr.php?ad##############################################################
- aa###tel.com/heiqks/xofmhs.php?ad################################
- aa###tel.com/heiqks/nezgbiub.php?ad################################
- aa###tel.com/heiqks/rhlxrztbz.php?ad################################
- aa###tel.com/heiqks/yptgomubw.php?ad################################
- aa###tel.com/heiqks/sgnicbidbj.php?ad################################
- aa###tel.com/heiqks/znucw.php?ad################################
- aa###tel.com/heiqks/xxszuc.php?ad################################
- aa###tel.com/heiqks/evdxsql.php?ad################################
- aa###tel.com/heiqks/luckrmksmy.php?ad################################
HTTP POST requests:
- 5c#t.in/?in##############################################################################################################
UDP:
- DNS ASK aa###tel.com
- DNS ASK 16#####b0714.meetri.net
- DNS ASK w.#####ardiscover.com
- DNS ASK 5c#t.in
- DNS ASK ik##.com
- DNS ASK si###ell.com
- DNS ASK go##le.ae
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'CSCHiddenWindow' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
