Technical Information
Malicious functions:
Searches for windows to
detect programs and games:
- ClassName: 'TXGuiFoundation', WindowName: '???????? - ????????????'
- ClassName: 'TXGuiFoundation', WindowName: 'µзДФ№ЬјТ - НшВзБчБї№ЬАн'
Modifies file system:
Creates the following files:
- <Current directory>\МбИЎ№¤ѕЯ.exe
- %APPDATA%\Microsoft\Media Player\npiaa\VBS.vbs
Sets the 'hidden' attribute to the following files:
- <Current directory>\МбИЎ№¤ѕЯ.exe
- %APPDATA%\Microsoft\Media Player\npiaa\svohost.exe
- %APPDATA%\Microsoft\Media Player\npiaa\VBS.vbs
Moves the following files:
- from <Full path to file> to %APPDATA%\Microsoft\Media Player\npiaa\svohost.exe
Network activity:
Connects to:
- '47.##.127.204':33
- '12#.#25.114.144':80
- 'jw###.msns.cn':49596
TCP:
HTTP GET requests:
- http://www.ba##u.com/ via 12#.#25.114.144
UDP:
- DNS ASK www.ba##u.com
- DNS ASK jw###.msns.cn
Miscellaneous:
Creates and executes the following:
- '<Current directory>\МбИЎ№¤ѕЯ.exe'
Executes the following:
- '<SYSTEM32>\wscript.exe' "%APPDATA%\Microsoft\Media Player\npiaa\VBS.vbs"
