Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\srservice] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\srservice.exe'
- '<SYSTEM32>\wscp.exe' <SYSTEM32>\f9c5d3df84f48502d03492792b27ed95.vbs //B
- '<SYSTEM32>\srservice.exe' exec
- '<SYSTEM32>\srservice.exe' move efaad737aaff27cb1fd2a2868ef76ef2 <Virus name>.exe x.exe
- '%TEMP%\<Virus name>.exe'
- '<SYSTEM32>\wscp.exe' <SYSTEM32>\srservice.vbs
Modifies file system :
Creates the following files:
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
- %TEMP%\<Virus name>.exe
- <SYSTEM32>\pandora.pid
- <SYSTEM32>\f9c5d3df84f48502d03492792b27ed95.vbs
- %TEMP%\efaad737aaff27cb1fd2a2868ef76ef2
- <SYSTEM32>\srservice.exe
- <SYSTEM32>\srservice.vbs
- <SYSTEM32>\wscp.exe
Deletes the following files:
- <SYSTEM32>\f9c5d3df84f48502d03492792b27ed95.vbs
- %TEMP%\efaad737aaff27cb1fd2a2868ef76ef2
Network activity:
Connects to:
- 'sr.##azoe.cn':80
- 'www.ka###u.bj.cn':80
TCP:
HTTP GET requests:
- sr.##azoe.cn/v3003/s.php?si######################################################################################################
- www.ka###u.bj.cn/v3003/s.php?si######################################################################################################
UDP:
- DNS ASK sr.##azoe.cn
- DNS ASK www.ka###u.bj.cn
