Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\TaoSrv] 'ImagePath' = '"%ALLUSERSPROFILE%\Application Data\Taoli\ZheziServiceMgr.exe" /asservice'
- [<HKLM>\SYSTEM\ControlSet001\Services\TaoSrv] 'Start' = '00000002'
Malicious functions:
Executes the following:
- '%ALLUSERSPROFILE%\Application Data\Taoli\ZheziServiceMgr.exe' /asservice
Modifies file system:
Creates the following files:
- %TEMP%\aut5.tmp
- %ALLUSERSPROFILE%\Application Data\Taoli\msvcp80.dll
- %TEMP%\aut4.tmp
- %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %TEMP%\temp
- %ALLUSERSPROFILE%\Application Data\zhezi\TaoConfig.ini
- %TEMP%\aut2.tmp
- %ALLUSERSPROFILE%\Application Data\Taoli\ZheziServiceMgr.exe
- %TEMP%\aut1.tmp
- %ALLUSERSPROFILE%\Application Data\Taoli\Microsoft.VC80.CRT.manifest
- %TEMP%\aut3.tmp
- %ALLUSERSPROFILE%\Application Data\Taoli\log.dll
Deletes the following files:
- %TEMP%\aut4.tmp
- %TEMP%\aut5.tmp
- %TEMP%\aut3.tmp
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
Network activity:
Connects to:
- 'www.zg##m.com':80
TCP:
HTTP GET requests:
- http://www.zg##m.com/post.php?a=################################################
UDP:
- DNS ASK www.zg##m.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
