Technical Information
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREG.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREF.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREH.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\ad7731.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\dodolook507.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREB.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREA.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREC.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREE.exe (downloaded from the Internet)
- %PROGRAM_FILES%\Internet Explorer\IEXPLORED.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\net1.exe stop sharedaccess
- <SYSTEM32>\net1.exe stop KAVStart
- %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://ho###i.8866.org/zhen2/user.asp?us############################################################################
- <SYSTEM32>\net.exe stop KAVStart
- <SYSTEM32>\ntsd.exe -c q -pn 360Safe.exe
- <SYSTEM32>\net.exe stop sharedaccess
- <SYSTEM32>\ntsd.exe -c q -pn 360tray.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ma8[1].jpg
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREH.exe
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREG.exe
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREF.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\ma7[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\dodolook507[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\uu[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\user[1].asp
- %PROGRAM_FILES%\Internet Explorer\ad7731.exe
- %PROGRAM_FILES%\Internet Explorer\dodolook507.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\ad7731[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\ma6[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\ma2[1].jpg
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREB.exe
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREA.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\hou2[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\ma1[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\ma3[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\ma5[1].jpg
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREE.exe
- %PROGRAM_FILES%\Internet Explorer\IEXPLORED.exe
- %PROGRAM_FILES%\Internet Explorer\IEXPLOREC.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ma4[1].jpg
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\user[1].asp
Network activity:
Connects to:
- 'localhost':1040
- 'ho###i.8866.org':80
- 'localhost':1037
- 'www.gx##s.cn':80
TCP:
HTTP GET requests:
- www.gx##s.cn/ad/dodolook507.jpg
- www.gx##s.cn/ad/ma8.jpg
- www.gx##s.cn/ad/ma7.jpg
- ho###i.8866.org/zhen2/user.asp?us############################################################################
- www.gx##s.cn/ad/uu.jpg
- www.gx##s.cn/ad/ad7731.jpg
- www.gx##s.cn/ad/ma6.jpg
- www.gx##s.cn/ad/ma2.jpg
- www.gx##s.cn/ad/ma1.jpg
- www.gx##s.cn/ad/hou2.jpg
- www.gx##s.cn/ad/ma5.jpg
- www.gx##s.cn/ad/ma4.jpg
- www.gx##s.cn/ad/ma3.jpg
UDP:
- DNS ASK ho###i.8866.org
- DNS ASK www.gx##s.cn
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
