Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe <SYSTEM32>\fservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}] 'StubPath' = '%WINDIR%\system\sservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 ""%TEMP%\IXP000.TMP\""'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Windows Live\Sync\WindowsLiveSync.exe' = '%PROGRAM_FILES%\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\pchealth\helpctr\binaries\HelpCtr.exe' = '%WINDIR%\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Assistance à distance - Windows Messenger et voix'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\explorer.exe' = '%WINDIR%\Services.exe:*:Enabled:Explorateur Windows'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Windows Live\Messenger\msnmsgr.exe' = '%PROGRAM_FILES%\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%windir%\Network Diagnostic\xpnetdiag.exe' = '%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\sessmgr.exe' = '<SYSTEM32>\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\Vuze\Azureus.exe' = '%PROGRAM_FILES%\Vuze\Azureus.exe:*:Enabled:Azureus'
Creates and executes the following:
- %WINDIR%\services.exe -XP
- <SYSTEM32>\fservice.exe
Executes the following:
- <SYSTEM32>\net.exe STOP navapsvc
- <SYSTEM32>\net1.exe STOP navapsvc
- %WINDIR%\explorer.exe /e, C:\
- <SYSTEM32>\calc.exe
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: <SYSTEM32>\winkey.dll
Terminates or attempts to terminate
the following user processes:
- mpftray.exe
- NAVAPW32.EXE
- GUARD.EXE
- MCAGENT.EXE
- nod32.exe
- zapro.exe
- ZONEALARM.EXE
- outpost.exe
- smc.exe
- AVP.EXE
- AVP32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVPCC.EXE
- fsav.exe
- fsav32.exe
- AVPM.EXE
- AVSYNMGR.EXE
Modifies file system :
Creates the following files:
- %WINDIR%\services.exe
- <SYSTEM32>\winkey.dll
- <SYSTEM32>\reginv.dll
- %WINDIR%\system\sservice.exe
- %TEMP%\IXP000.TMP\CLPROR~1.EXE
- %TEMP%\IXP000.TMP\server.exe
- <SYSTEM32>\fservice.exe
Sets the 'hidden' attribute to the following files:
- %WINDIR%\services.exe
- %WINDIR%\system\sservice.exe
- <SYSTEM32>\fservice.exe
Deletes the following files:
- %WINDIR%\system\sservice.exe
- <SYSTEM32>\fservice.exe
Network activity:
Connects to:
- 'ch######teur.redirectme.net':4110
- 'ch######teur.redirectme.net':4112
- 'ch######teur.redirectme.net':41100
UDP:
- DNS ASK ch######teur.redirectme.net
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'GINA Logon'
- ClassName: '' WindowName: 'ProConnective'
- ClassName: '' WindowName: 'Windows services '
- ClassName: '' WindowName: 'Windows Logon Service '
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: '' WindowName: 'Windows services '
