Technical Information
Malicious functions:
Creates and executes the following:
- %APPDATA%\Server.exe
- %APPDATA%\7za.exe "x" "-y" "%APPDATA%\Server.7z" "-pHVLnt5Dy"
Terminates or attempts to terminate
the following user processes:
- ICQ.exe
Modifies file system :
Creates the following files:
- <Current directory>\Server.exe
- %TEMP%\CRNJEUFU
- %APPDATA%\7za.exe
- %APPDATA%\Server.txt
Deletes the following files:
- %APPDATA%\Server.7z
- %APPDATA%\Server.exe
- %APPDATA%\7za.exe
Moves the following files:
- from <Current directory>\Server.exe to %APPDATA%\Server.exe
- from %APPDATA%\Server.txt to %APPDATA%\Server.7z
Network activity:
Connects to:
- 'eu###lge.com':80
- 'au######on.whatismyip.com':80
- 'wp#d':80
TCP:
HTTP GET requests:
- eu###lge.com/logs/log/index.php?ac##################################################
- au######on.whatismyip.com/n09230945.asp
- wp#d/wpad.dat
UDP:
- DNS ASK eu###lge.com
- DNS ASK au######on.whatismyip.com
- DNS ASK wp#d
