Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Menology' = '%APPDATA%\Menology\MenologyBox.exe /start'
Malicious functions:
Creates and executes the following:
- '%PROGRAM_FILES%\wannengrili\yunboplayer.exe'
- '%APPDATA%\Menology\MenologyBox.exe' /install
- '%APPDATA%\Menology\MenologyQuick.exe' MenologyQuick
- '%PROGRAM_FILES%\wannengrili\calendar_s[127].exe'
- '%PROGRAM_FILES%\wannengrili\pczh_107_1.exe'
- '%PROGRAM_FILES%\wannengrili\TTK_7160010020140313_v142.exe'
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'RecommendedLevel' = '00011000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'MinLevel' = '00011000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Flags' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1805' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1805' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'DisplayName' = 'Internet'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Icon' = 'inetcpl.cpl#001313'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Description' = 'This zone contains all Web sites you haven't placed in other zones'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Flags' = '00000003'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Description' = 'This zone contains Web sites that could potentially damage your computer or data.'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'DisplayName' = 'Restricted sites'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Icon' = 'inetcpl.cpl#00004481'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'RecommendedLevel' = '00012000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'MinLevel' = '00012000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Flags' = '00000047'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1805' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Flags' = '00000021'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Description' = 'This zone contains all Web sites that are on your organization's intranet.'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'DisplayName' = 'Local intranet'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'DisplayName' = 'My Computer'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Description' = 'Your computer'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'CurrentLevel' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Icon' = 'explorer.exe#0100'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Description' = 'This zone contains Web sites that you trust not to damage your computer or data.'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'DisplayName' = 'Trusted sites'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Icon' = 'inetcpl.cpl#00004480'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'RecommendedLevel' = '00010000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'MinLevel' = '00010000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'MinLevel' = '00010000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Icon' = 'shell32.dll#0018'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'RecommendedLevel' = '00010500'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '' = ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1805' = '00000000'
Modifies file system :
Creates the following files:
- %TEMP%\nsh9.tmp\FindProcDLL.dll
- %ALLUSERSPROFILE%\Desktop\?nEO»?Au.lnk
- %APPDATA%\Menology\Skins\yun.png
- %APPDATA%\Menology\Uninst.exe
- %HOMEPATH%\My Documents\Menology\config\soft.inf
- %TEMP%\RGIA.tmp
- %TEMP%\RGIB.tmp
- %TEMP%\nsw6.tmp\NSISdl.dll
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\?nEO»?Au.lnk
- %APPDATA%\Menology\Skins\Search\bg_icon.png
- %APPDATA%\Menology\Skins\Search\la_focus.png
- %APPDATA%\Menology\Skins\Mini\close.png
- %APPDATA%\Menology\Skins\Mini\min.png
- %APPDATA%\Menology\Skins\Search\la_select.png
- %APPDATA%\Menology\Skins\set.png
- %APPDATA%\Menology\Skins\small_bg.png
- %APPDATA%\Menology\Skins\Search\left.png
- %APPDATA%\Menology\Skins\Search\right.png
- %TEMP%\RGIC.tmp
- %PROGRAM_FILES%\ainqngz4.7\energy.exe
- %HOMEPATH%\Start Menu\Programs\°®Зй.ЦЗ»Ы.4.7\Р¶ФШ.lnk
- %PROGRAM_FILES%\ainqngz4.7\uninstall.exe
- %PROGRAM_FILES%\ainqngz4.7\kinetic.exe
- %HOMEPATH%\Start Menu\Programs\°®Зй.ЦЗ»Ы.4.7\°®Зй.ЦЗ»Ы.4.7.lnk
- %TEMP%\nsw6.tmp\nsF.tmp
- %TEMP%\Temporary Internet Files\Content.IE5\QNYNQDSR\iplookup[1].php
- %TEMP%\nsw6.tmp\nsExec.dll
- %TEMP%\nsw6.tmp\nsE.tmp
- %TEMP%\Temporary Internet Files\Content.IE5\NM3UKH8R\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\QNYNQDSR\desktop.ini
- %TEMP%\RGID.tmp
- %TEMP%\Temporary Internet Files\Content.IE5\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\ZNWFSGNX\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\NM3UKH8R\active[1].html
- %PROGRAM_FILES%\ainqngz4.7\Ainqngz4.7.exe
- %TEMP%\History\History.IE5\desktop.ini
- %HOMEPATH%\Templates\1120146172256531\YYM_955WD30.gif
- %APPDATA%\Menology\Skins\Mini\bakground.png
- %TEMP%\nsm8.tmp
- %TEMP%\nsw6.tmp\Base64.dll
- %PROGRAM_FILES%\wannengrili\uboskin\config.ini
- %TEMP%\nsl5.tmp
- %TEMP%\nsh9.tmp\cpage.ini
- %TEMP%\nsh9.tmp\TTKInsAssistant.dll
- %APPDATA%\Menology\AssistModule.dll
- %TEMP%\nsh9.tmp\closebrowerpage.ini
- %TEMP%\nsw6.tmp\System.dll
- %TEMP%\nsy3.tmp\NSISdl.dll
- %TEMP%\nsy3.tmp\Proces
- %TEMP%\nst2.tmp
- %TEMP%\nsy3.tmp\System.dll
- %PROGRAM_FILES%\wannengrili\TTK_7160010020140313_v142.exe
- %PROGRAM_FILES%\wannengrili\tj.txt
- %PROGRAM_FILES%\wannengrili\yunboplayer.exe
- %PROGRAM_FILES%\wannengrili\calendar_s[127].exe
- %PROGRAM_FILES%\wannengrili\pczh_107_1.exe
- %APPDATA%\Menology\config\SearchConfig.ini
- %APPDATA%\Menology\Skins\life.png
- %APPDATA%\Menology\Skins\line.png
- %TEMP%\nsh9.tmp\System.dll
- %APPDATA%\Menology\Skins\joke.png
- %APPDATA%\Menology\Skins\Menu\menuright.png
- %APPDATA%\Menology\Skins\Menu\menuseparator.png
- %APPDATA%\Menology\Skins\Menu\menu_bg.png
- %APPDATA%\Menology\Skins\Menu\menurmark.png
- %APPDATA%\Menology\Skins\Menu\menuselectbar.png
- %APPDATA%\Menology\data\data.bin
- %APPDATA%\Menology\Disconnect\disconnect.html
- %APPDATA%\Menology\config\TipsConfig.ini
- %APPDATA%\Menology\config\TitleConfig.ini
- %APPDATA%\Menology\Disconnect\disconnect.jpg
- %APPDATA%\Menology\Skins\bk.png
- %APPDATA%\Menology\Skins\game.png
- %APPDATA%\Menology\MenologyBox.exe
- %APPDATA%\Menology\MenologyQuick.exe
Sets the 'hidden' attribute to the following files:
- %TEMP%\Temporary Internet Files\Content.IE5\ZNWFSGNX\desktop.ini
- %TEMP%\History\History.IE5\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\QNYNQDSR\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\desktop.ini
- %TEMP%\Temporary Internet Files\Content.IE5\NM3UKH8R\desktop.ini
Deletes the following files:
- %TEMP%\RGIB.tmp
- %TEMP%\RGIA.tmp
- %TEMP%\nsh9.tmp\TTKInsAssistant.dll
- %TEMP%\RGIC.tmp
- %TEMP%\nsw6.tmp\nsF.tmp
- %HOMEPATH%\Templates\1120146172256531\YYM_955WD30.gif
- %TEMP%\RGID.tmp
- %TEMP%\nsy3.tmp\System.dll
- %TEMP%\nsy3.tmp\Proces
- %TEMP%\nsy3.tmp\NSISdl.dll
- %TEMP%\nsh9.tmp\closebrowerpage.ini
- %TEMP%\nsh9.tmp\System.dll
- %TEMP%\nsh9.tmp\FindProcDLL.dll
- %TEMP%\nsh9.tmp\cpage.ini
Network activity:
Connects to:
- 'localhost':1042
- 'up####.aiqingzhihui.com':80
- 'in#.###ol.sina.com.cn':80
- 'so###.dllst.cn':80
- 'localhost':1038
- 'hl.###gren123.com':80
TCP:
HTTP GET requests:
- up####.aiqingzhihui.com/0403/help1.html
- in#.###ol.sina.com.cn/iplookup/iplookup.php?fo#############
- so###.dllst.cn/app.txt
- hl.###gren123.com/tj/active.html?ti#############
UDP:
- DNS ASK m.####ren123.com
- DNS ASK www.ip##8.com
- DNS ASK in#.###ol.sina.com.cn
- DNS ASK so###.dllst.cn
- DNS ASK hl.###gren123.com
- DNS ASK up####.aiqingzhihui.com
- '11#.#8.23.196':3201
Miscellaneous:
Searches for the following windows:
- ClassName: '#32770' WindowName: '????????'
- ClassName: '#32770' WindowName: '????????????????'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
