Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '46f2' = '%APPDATA%\7bsxzxl.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\utsml60.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\826834944] 'Name' = '%TEMP%\5.tmp'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\MouseDriver] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%TEMP%\pshha.exe'
- '%APPDATA%\7bsxzxl.exe' -dBEADD63C9354FF20C33290B74E0A52577FEA7F0F543609C03E52D5A3DF09076FAAD69F8294E8EBB534409D32083688A0B67551B9822995C9566F562A027DA6D4ADE4F35C838B5BB72869F0B77E85D8D2AF98A8E4AF1E7575853760081BEFB6307027D7C5524C7DCD19DF1E49F2317E2BB508AA996C37F4C3E5C7A8E60B759250DBCD90393270BD69BF8EFDAEE420F87951BCBCBC8A8BA0EFCF54237CF12FD905197CA4D993F5C8D71344A1FB178A029D4B2082311B3E458FDCD106893074668391EED6C4266A8B724E3E60FA8A1B9ACAAC12E2A76E20F28EE407C55568AE588FEE522D21DD6F3485EAEBCE5F804AFDBEBE8B01281566F24601B1179F7B800B6017F9ED47E9612F9B9E79C0FC7831A76109A9437AE2CDD3488BBCEFA789241B21377B9B6CBBF02914655B4C33342A55B957814EF4E46661501D2E84F3F38A6715B5FBFC8603E70FB07766C68BB57405E2B0BB07476EEBAB578E2749235BBF0A723C591508B2AC0FA44D9FC4983BEDF4935EF192FA0F5CFCCFF70CF4E0A02063D8B39C2B9CFA969567A1D71A9749BC9E27E9F755149A70E28FB3767AE9E62C0EF644CCC4784CEE4E1F6AFFDDA29E41C0051B91F4381F3229F5597B10898BCBE81058C0A4B658DC280FE34463DE3C925929FC10552DEF96E059C37C2BA532D00D179875CFEC10A24EF8846B408E6468A3D1D5A49D849BEB52FD09E57FC0BB9E
- '%TEMP%\hodwarf.exe'
- '%TEMP%\tcomfpag.exe'
- '%TEMP%\qwutu.exe'
- '%TEMP%\cpbdrxur.exe'
- '%TEMP%\yttwulhw.exe'
- '%TEMP%\iycclejs.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\ukrycny.exe'
- '%TEMP%\xqcwsah.exe'
- '%APPDATA%\7bsxzxl.exe'
- '%TEMP%\nsj3.tmp\1EuroP.exe'
- '%TEMP%\nsj3.tmp\IR.exe'
- '%TEMP%\nsj3.tmp\3E4U - Bucks.exe'
- '%TEMP%\nsj3.tmp\2IC.exe'
- '%TEMP%\nohfx.exe'
- '%TEMP%\nsj3.tmp\erev.exe'
- '%TEMP%\nsj3.tmp\6tbp.exe'
- '%TEMP%\mish.exe'
- '%TEMP%\iycclejs.exe' (downloaded from the Internet)
- '%TEMP%\yttwulhw.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\xqcwsah.exe' (downloaded from the Internet)
- '%TEMP%\qwutu.exe' (downloaded from the Internet)
- '%TEMP%\hodwarf.exe' (downloaded from the Internet)
- '%TEMP%\mish.exe' (downloaded from the Internet)
- '%TEMP%\tcomfpag.exe' (downloaded from the Internet)
- '%TEMP%\cpbdrxur.exe' (downloaded from the Internet)
- '%TEMP%\ukrycny.exe' (downloaded from the Internet)
- '%TEMP%\pshha.exe' (downloaded from the Internet)
- '%TEMP%\nohfx.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\rundll32.exe' setupapi,InstallHinfSection DefaultInstall 128 %APPDATA%\mdinstall.inf
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)"
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\utsml60.dll",iep
- '<SYSTEM32>\grpconv.exe' -o
- '<SYSTEM32>\cmd.exe' /c "%APPDATA%\f7lf8ipd.bat"
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\utsml60.dll",Startup
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)"
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\spoolsv.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\dnnrvriqm[1].php
- %TEMP%\cpbdrxur.exe
- %TEMP%\ukrycny.exe
- %TEMP%\-1998166001
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\erfjjje[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\oobbff[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\dhdhuy[1].php
- %TEMP%\qwutu.exe
- %TEMP%\hodwarf.exe
- %TEMP%\pshha.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\xtkkbspt[1].php
- %TEMP%\Aqz..bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\hdqhyyz[1].php
- %APPDATA%\0gdi9qm.log
- %WINDIR%\iyoyihit.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\CAJMG37L.php
- %TEMP%\iycclejs.exe
- %TEMP%\xqcwsah.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\arboobnkar[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\sjwxkob[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ivzqmqd[1].php
- %TEMP%\yttwulhw.exe
- %WINDIR%\utsml60.dll
- %TEMP%\nsj3.tmp\IR.exe
- %WINDIR%\Temp\6.tmp
- %TEMP%\4.tmp
- %TEMP%\nsj3.tmp\6tbp.exe
- %TEMP%\nsj3.tmp\erev.exe
- %TEMP%\nsj2.tmp
- %TEMP%\nsj3.tmp\1EuroP.exe
- %TEMP%\nsj3.tmp\3E4U - Bucks.exe
- %TEMP%\nsj3.tmp\2IC.exe
- %APPDATA%\f7lf8ipd.bat
- %TEMP%\mish.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\qqqriimq[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\qduhhl[1].php
- %TEMP%\tcomfpag.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\flcppgggu[1].php
- %APPDATA%\MouseDriver.bat
- %APPDATA%\7bsxzxl.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\nohfx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\nnbrswmqa[1].php
Sets the 'hidden' attribute to the following files:
- %APPDATA%\MouseDriver.bat
Deletes the following files:
- <DRIVERS>\etc\hosts
- %TEMP%\5.tmp
- %WINDIR%\Temp\6.tmp
- <SYSTEM32>\svchost.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\nsj3.tmp\IR.exe
- %TEMP%\nsj3.tmp\2IC.exe
- %TEMP%\nsj3.tmp\1EuroP.exe
- %TEMP%\nsj3.tmp\3E4U - Bucks.exe
- %TEMP%\nsj3.tmp\erev.exe
- %TEMP%\nsj3.tmp\6tbp.exe
Moves the following files:
- from %TEMP%\4.tmp to %TEMP%\5.tmp
Substitutes the HOSTS file.
Network activity:
Connects to:
- '01######0620.zoomchat.net':80
- 'localhost':1041
- 'aa###ket.com':80
TCP:
HTTP GET requests:
- aa###ket.com/ckkuylpycc/arboobnkar.php?ad####################################
- aa###ket.com/ckkuylpycc/erfjjje.php?ad####################################
- aa###ket.com/ckkuylpycc/dnnrvriqm.php?ad####################################
- aa###ket.com/ckkuylpycc/hdqhyyz.php?ad##################################################################
- aa###ket.com/ckkuylpycc/ivzqmqd.php?ad####################################
- aa###ket.com/ckkuylpycc/sjwxkob.php?ad####################################
- aa###ket.com/ckkuylpycc/oobbff.php?ad####################################
- aa###ket.com/ckkuylpycc/qqqriimq.php?ad####################################
- aa###ket.com/ckkuylpycc/flcppgggu.php?ad####################################
- aa###ket.com/ckkuylpycc/nnbrswmqa.php?ad####################################
- aa###ket.com/ckkuylpycc/xtkkbspt.php?ad####################################
- aa###ket.com/ckkuylpycc/dhdhuy.php?ad####################################
- aa###ket.com/ckkuylpycc/qduhhl.php?ad####################################
UDP:
- DNS ASK w.#####ardiscover.com
- DNS ASK 01######0620.zoomchat.net
- DNS ASK cl####amwallop.in
- DNS ASK pr###root.in
- DNS ASK ne###rtvoore.in
- DNS ASK ma##h.com
- DNS ASK ti##pic.com
- DNS ASK da##.net
- DNS ASK aa###ket.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
