Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RWLN] 'Startup' = 'WLEventStartup'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RWLN] 'Logon' = 'WLEventLogon'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RWLN] 'DllName' = 'RWLN.dll'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\RManService] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\catroot3\rutserv.exe' /start
- '<SYSTEM32>\catroot3\rutserv.exe'
- '<SYSTEM32>\catroot3\rfusclient.exe' /tray
- '<Current directory>\setup.exe'
- '<SYSTEM32>\catroot3\rutserv.exe' /silentinstall
- '<SYSTEM32>\catroot3\rutserv.exe' /firewall
Executes the following:
- '<SYSTEM32>\net1.exe' stop "Service Host Controller"
- '<SYSTEM32>\net.exe' stop "Service Host Controller"
- '<SYSTEM32>\net1.exe' user HelpAssistant /delete
- '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Операционная система Microsoft Windows" /f
- '<SYSTEM32>\schtasks.exe' /delete /tn security /f
- '<SYSTEM32>\sc.exe' config tlntsvr start= disabled
- '<SYSTEM32>\attrib.exe' -s -h -r "<SYSTEM32>\r_server.exe"
- '<SYSTEM32>\attrib.exe' -s -h "%WINDIR%\SysWOW64\rserver30"
- '<SYSTEM32>\attrib.exe' -s -h -r "%WINDIR%\SysWOW64\r_server.exe"
- '<SYSTEM32>\net1.exe' stop Telnet
- '<SYSTEM32>\net.exe' stop Telnet
- '<SYSTEM32>\attrib.exe' -s -h -r "%TEMP%\blat.exe"
- '<SYSTEM32>\attrib.exe' -s -h -r "%TEMP%\block_reader.sys"
- '<SYSTEM32>\attrib.exe' -s -h -r "%TEMP%\realip.exe"
- '<SYSTEM32>\attrib.exe' -s -h -r "%TEMP%\install.bat"
- '<SYSTEM32>\attrib.exe' -s -h -r "%TEMP%\stop.js"
- '<SYSTEM32>\ping.exe' -n 5 127.0.0.1
- '<SYSTEM32>\reg.exe' delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
- '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
- '%WINDIR%\regedit.exe' /s set.reg
- '<SYSTEM32>\reg.exe' delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\blat.lib"
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\blat.dll"
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\block_reader.sys"
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\realip.exe"
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\blat.exe"
- '<SYSTEM32>\attrib.exe' +s +h "<SYSTEM32>\catroot3"
- '<SYSTEM32>\wscript.exe' "%TEMP%\stop.js"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shell32.dll,OpenAs_RunDLL <Current directory>\Inver.jar
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\install.bat" "
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\Remote Manipulator System" /f
- '<SYSTEM32>\taskkill.exe' /f /im cam_server.exe
- '<SYSTEM32>\taskkill.exe' /f /im r_server.exe
- '<SYSTEM32>\attrib.exe' -s -h -r "<SYSTEM32>\cam_server.exe"
- '<SYSTEM32>\attrib.exe' -s -h "<SYSTEM32>\rserver30"
- '<SYSTEM32>\attrib.exe' -s -h -r "%WINDIR%\SysWOW64\cam_server.exe"
- '<SYSTEM32>\taskkill.exe' /f /im rserver3.exe
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\install.bat"
- '<SYSTEM32>\attrib.exe' +s +h +r "%TEMP%\stop.js"
- '<SYSTEM32>\attrib.exe' +s +h +r "<SYSTEM32>\de.exe"
- '<SYSTEM32>\net1.exe' stop rserver3
- '<SYSTEM32>\net.exe' stop rserver3
Modifies file system :
Creates the following files:
- %TEMP%\Printer\x86\SampleClient.exe
- %TEMP%\Printer\x86\setupdrv.exe
- %TEMP%\Printer\x64\setupdrv.exe
- %TEMP%\Printer\x86\rmsui2.exe
- %TEMP%\Printer\x64\rmsui2.exe
- %TEMP%\rutserv.exe
- %TEMP%\Printer\x64\VPDAgent_x64.exe
- %TEMP%\dsfVorbisDecoder.dll
- %TEMP%\dsfVorbisEncoder.dll
- %TEMP%\Printer\x86\srvinst.exe
- %TEMP%\Printer\x64\srvinst_x64.exe
- %TEMP%\Printer\x86\VPDAgent.exe
- %TEMP%\Printer\x86\rms_s.lng
- %TEMP%\stop.js
- %TEMP%\install.bat
- %TEMP%\Printer\x64\rms.lng
- %TEMP%\Printer\x86\rms.lng
- %TEMP%\Printer\x64\rms_s.lng
- %TEMP%\Printer\x86\progress.exe
- %TEMP%\Printer\x64\progress.exe
- %TEMP%\rfusclient.exe
- %TEMP%\set.reg
- %TEMP%\Printer\x86\fwproc.exe
- %TEMP%\Printer\x64\fwproc.exe
- %TEMP%\gdiplus.dll
- %TEMP%\vp8encoder.dll
- %TEMP%\7ZSfx000.cmd
- <SYSTEM32>\catroot3\dsfVorbisEncoder.dll
- %TEMP%\Printer\x86\unires_vpd.dll
- %TEMP%\Printer\x64\unires_vpd.dll
- %TEMP%\vp8decoder.dll
- <SYSTEM32>\catroot3\RWLN.dll
- <SYSTEM32>\catroot3\set.reg
- <SYSTEM32>\RWLN.dll
- <SYSTEM32>\catroot3\rfusclient.exe
- <SYSTEM32>\catroot3\RIPCServer.dll
- <SYSTEM32>\catroot3\rutserv.exe
- %TEMP%\Printer\x86\rmspm.dll
- %TEMP%\Printer\x64\rmspm.dll
- %TEMP%\Printer\x86\rmsui.dll
- %TEMP%\msvcp90.dll
- %TEMP%\msvcr90.dll
- %TEMP%\RIPCServer.dll
- %TEMP%\Printer\x64\unidrvui_rms.dll
- %TEMP%\Printer\x86\unidrv_rms.dll
- %TEMP%\Printer\x64\unidrv_rms.dll
- %TEMP%\Printer\x64\rmsui.dll
- %TEMP%\RWLN.dll
- %TEMP%\Printer\x86\unidrvui_rms.dll
- <Current directory>\lib\commons-logging-tests.jar
- <Current directory>\lib\fluent-hc-4.3.jar
- <Current directory>\lib\gson-2.2.4.jar
- <Current directory>\lib\commons-logging-1.1.3.jar
- <Current directory>\lib\commons-logging-adapters-1.1.3.jar
- <Current directory>\lib\commons-logging-api-1.1.3.jar
- <Current directory>\lib\httpmime-4.3.jar
- <Current directory>\lib\ini4j-0.5.2-SNAPSHOT-javadoc.jar
- <Current directory>\lib\ini4j-0.5.2-SNAPSHOT-jdk14.jar
- <Current directory>\lib\httpclient-4.3.jar
- <Current directory>\lib\httpclient-cache-4.3.jar
- <Current directory>\lib\httpcore-4.3.jar
- <Current directory>\lib\commons-codec-1.8-javadoc.jar
- <Current directory>\lib\commons-codec-1.8-sources.jar
- <Current directory>\lib\commons-codec-1.8-test-sources.jar
- <Current directory>\Inver.jar
- <Current directory>\setup.exe
- <Current directory>\lib\commons-codec-1.6.jar
- <Current directory>\lib\commons-logging-1.1.3-sources.jar
- <Current directory>\lib\commons-logging-1.1.3-test-sources.jar
- <Current directory>\lib\commons-logging-1.1.3-tests.jar
- <Current directory>\lib\commons-codec-1.8-tests.jar
- <Current directory>\lib\commons-codec-1.8.jar
- <Current directory>\lib\commons-logging-1.1.3-javadoc.jar
- <Current directory>\lib\ini4j-0.5.2-SNAPSHOT-sources.jar
- %TEMP%\Printer\x86\unidrv_rms.hlp
- %TEMP%\Printer\x64\rms.gpd
- %TEMP%\Printer\x86\rms.gpd
- %TEMP%\Printer\x86\rms.ini
- %TEMP%\EULA.rtf
- %TEMP%\Printer\x64\unidrv_rms.hlp
- %TEMP%\Printer\x86\ntprint.inf
- %TEMP%\English.lg
- %TEMP%\Russian.lg
- %TEMP%\Printer\x64\stdnames_vpd.gpd
- %TEMP%\Printer\x86\stdnames_vpd.gpd
- %TEMP%\Printer\x64\ntprint.inf
- <Current directory>\lib\swingx-beaninfo-1.6.2.jar
- <Current directory>\lib\swingx-core-1.6.2.jar
- <Current directory>\lib\swt.jar
- <Current directory>\lib\ini4j-0.5.2-SNAPSHOT.jar
- <Current directory>\lib\json_simple-1.1.jar
- <Current directory>\lib\swingx-all-1.6.4.jar
- %TEMP%\Printer\x64\uninstall.cmd
- %TEMP%\Printer\x86\uninstall.cmd
- %TEMP%\Printer\x64\rms.ini
- %TEMP%\Microsoft.VC90.CRT.manifest
- %TEMP%\Printer\x64\install.cmd
- %TEMP%\Printer\x86\install.cmd
Sets the 'hidden' attribute to the following files:
- %TEMP%\install.bat
Deletes the following files:
- %TEMP%\7ZSfx000.cmd
- <Current directory>\setup.exe
- %TEMP%\stop.js
Network activity:
Connects to:
- 'rm#####ver.tektonit.ru':563
- 'rm#####ver.tektonit.ru':5655
UDP:
- DNS ASK rm#####ver.tektonit.ru
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
