Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HKCU' = ''
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{B8F8F51L-D8N1-881J-JG87-W51I46F308NH}] 'StubPath' = '<SYSTEM32>\WinDir\Svchost.exe Restart'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{B8F8F51L-D8N1-881J-JG87-W51I46F308NH}] 'StubPath' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'Policies' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Policies' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'HKLM' = ''
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\WinDir\Svchost.exe'
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Searches for windows to
detect analytical utilities:
- ClassName: '(null)' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'GBDYLLO' WindowName: '(null)'
- ClassName: 'OLLYDBG' WindowName: '(null)'
- ClassName: 'FilemonClass' WindowName: '(null)'
- ClassName: 'pediy06' WindowName: '(null)'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\sqlite3[1].dll
- %TEMP%\%USERNAME%8
- %TEMP%\180953.tmp
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new
- %APPDATA%\%USERNAME%3SQLite3.dll
- %TEMP%\%USERNAME%7
- %TEMP%\%USERNAME%2.txt
- <SYSTEM32>\WinDir\Svchost.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %APPDATA%\%USERNAME%log.dat
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
Sets the 'hidden' attribute to the following files:
- %APPDATA%\%USERNAME%log.dat
Deletes the following files:
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3284.184953
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3284.184937
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3620.194796
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3752.203671
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3620.194812
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3284.184937
- %TEMP%\%USERNAME%7
- %TEMP%\%USERNAME%2.txt
- %TEMP%\%USERNAME%8
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3496.184890
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3496.184875
Moves the following files:
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3284.184937
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3284.184953
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3620.194796
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3620.194812
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3752.203671
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3284.184937
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3496.184875
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3496.184890
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
Deletes itself.
Network activity:
Connects to:
- 'www.se##er.com':80
- 'localhost':1037
TCP:
HTTP GET requests:
- www.se##er.com/sqlite3.dll
UDP:
- DNS ASK ff#####oint.zapto.org
- DNS ASK www.se##er.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: '18467-41' WindowName: '(null)'
