Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Service HomeGroup DCOM Audio Cache Name System' = '<LS_APPDATA>\oqzkozx\zmiaoekzzwso.exe'
Malicious functions:
Creates and executes the following:
- '<LS_APPDATA>\oqzkozx\wgnhawuimwta.exe' "<LS_APPDATA>\oqzkozx\zmiaoekzzwso.exe"
- '<LS_APPDATA>\oqzkozx\zmiaoekzzwso.exe'
Modifies file system :
Creates the following files:
- <LS_APPDATA>\oqzkozx\zmiaoekzzwso.kjw
- <LS_APPDATA>\oqzkozx\wgnhawuimwta.exe
- <LS_APPDATA>\oqzkozx\zmiaoekzzwso.exe
Sets the 'hidden' attribute to the following files:
- <LS_APPDATA>\oqzkozx\wgnhawuimwta.exe
- <LS_APPDATA>\oqzkozx\zmiaoekzzwso.exe
Network activity:
Connects to:
- 'st####thbrown.net':80
TCP:
HTTP GET requests:
- st####thbrown.net/forum/search.php?em####################################
UDP:
- DNS ASK ou####enation.net
- DNS ASK mo####ntnation.net
- DNS ASK mo####ntsoldier.net
- DNS ASK mo####ntplease.net
- DNS ASK ou####esoldier.net
- DNS ASK st####aughter.net
- DNS ASK st###brown.net
- DNS ASK st####thbrown.net
- DNS ASK st####thpeople.net
- DNS ASK st#####hdaughter.net
- DNS ASK st###people.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
