Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'rundll32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'lno5h' = '%ALLUSERSPROFILE%\Start Menu\Programs\FileXs.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe] 'Debugger' = 'rundll32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe] 'Debugger' = 'rundll32.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\dMIwhj8bwi.eu.url
Malicious functions:
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\tmp4.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\tmp5.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\tmp3.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\tmp2.tmp"
Injects code into
the following system processes:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Modifies file system:
Creates the following files:
- %TEMP%\b.HJ
- %APPDATA%\check\check
- %TEMP%\a72f906b-da4a-130e-f720-fef93dcc29a0
- %APPDATA%\dMIwhj8bwi\dMIwhj8bwi.exe
- %ALLUSERSPROFILE%\Start Menu\Programs\FileXs.exe
- %TEMP%\aut1.tmp
Sets the 'hidden' attribute to the following files:
- %APPDATA%\check\check
Deletes the following files:
- %TEMP%\aut1.tmp
Network activity:
Connects to:
- 'se###pay.info':80
- 'wp#d':80
- 'sm##.gmail.com':587
TCP:
HTTP GET requests:
- http://11#.#11.111.2/wpad.dat via wp#d
HTTP POST requests:
- http://se###pay.info/ABC/ABCXYZ/Server/
UDP:
- DNS ASK se###pay.info
- DNS ASK wp#d
- DNS ASK sm##.gmail.com
