Technical Information
Modifies file system:
Creates the following files:
- %ProgramFiles%\Microsoft SQL Server2\1.bat
- %ProgramFiles%\Microsoft SQL Server2\sany.exe
- %ProgramFiles%\Microsoft SQL Server2\lucifer616_4.exe
- %TEMP%\1.tmp\lucifer616.bat
- %ProgramFiles%\Microsoft SQL Server2\Coldedlucifer.exe
- %ProgramFiles%\Microsoft SQL Server2\Logger.exe
- %TEMP%\aut2.tmp
- %APPDATA%\Application.exe
- %TEMP%\aut3.tmp
- %APPDATA%\System.Data.SQLite.dll
- %TEMP%\dw.log
- %TEMP%\37204.dmp
Deletes the following files:
- %TEMP%\aut2.tmp
- %TEMP%\aut3.tmp
Network activity:
Connects to:
- 'wp#d':80
- 'ip###ger.com':443
TCP:
HTTP GET requests:
- http://11#.#11.111.1/wpad.dat via wp#d
UDP:
- DNS ASK wp#d
- DNS ASK ip###ger.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following:
- '%ProgramFiles%\Microsoft SQL Server2\sany.exe' -p123
- '%ProgramFiles%\Microsoft SQL Server2\lucifer616_4.exe'
- '%ProgramFiles%\Microsoft SQL Server2\Coldedlucifer.exe'
- '%APPDATA%\Application.exe'
- '%ProgramFiles%\Microsoft SQL Server2\Logger.exe'
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""%ProgramFiles%\Microsoft SQL Server2\1.bat" "
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\lucifer616.bat" "
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1236
