Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\ngnsexmp.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
Malicious functions:
Creates and executes the following:
- '%TEMP%\ic1.exe'
- '%TEMP%\Gi.exe'
- '%TEMP%\geurge.exe'
- '%TEMP%\_tbp.exe'
- '%TEMP%\7za.exe' x %TEMP%\a1.7z -aoa -o%HOMEPATH%\Local Settings\Temp -plolmilf
- '%TEMP%\ep.exe'
- '%TEMP%\E4U.exe'
- '%TEMP%\EuroP.exe'
Executes the following:
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\cmd.exe' /c ""C:\tujserrew.bat""
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\ngnsexmp.dll",Startup
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\ngnsexmp.dll",iep
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- '<SYSTEM32>\net.exe' stop "Security Center"
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\spoolsv.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
Modifies file system :
Creates the following files:
- %TEMP%\geurge.exe
- C:\tujserrew.bat
- %WINDIR%\Temp\6.tmp
- %TEMP%\4.tmp
- %WINDIR%\ngnsexmp.dll
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W9AZKXQZ\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4L61E7YR\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A47NA69L\desktop.ini
- %TEMP%\Aqz..bat
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SUWPDG9C\desktop.ini
- %TEMP%\ep.exe
- %TEMP%\nsb3.tmp\ExecDos.dll
- %TEMP%\a1.7z
- %TEMP%\nse2.tmp
- %TEMP%\7za.exe
- %TEMP%\ic1.exe
- %TEMP%\_tbp.exe
- %TEMP%\Gi.exe
- %TEMP%\E4U.exe
- %TEMP%\EuroP.exe
Sets the 'hidden' attribute to the following files:
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W9AZKXQZ\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4L61E7YR\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SUWPDG9C\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\A47NA69L\desktop.ini
Deletes the following files:
- %WINDIR%\Temp\6.tmp
- %TEMP%\~DF7840.tmp
- %TEMP%\EuroP.exe
- %TEMP%\nsb3.tmp\ExecDos.dll
- %TEMP%\E4U.exe
- %TEMP%\5.tmp
Moves the following files:
- from %TEMP%\ic1.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
Network activity:
Connects to:
- 'localhost':1042
UDP:
- DNS ASK co####.perfectexe.com
- DNS ASK ch###eebo.com
- DNS ASK 01######050b.coginix.org
- DNS ASK db##rps.com
- DNS ASK wi###erse.com
- DNS ASK 00########.########.##.###########9429287495D69748230EC.n.empty.1147.empty.5_1._t_i.ffffffff.<Auxiliary name>_exe.168.rc2.a4h9uploading.com
- DNS ASK go##le.it
- DNS ASK ma#l.ru
- DNS ASK sn###ake.net
- DNS ASK cb##ase.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'CSCHiddenWindow' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
