Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'wpcpetcn.exe' = 'C:\ProgramData\wpcpetcn.exe'
Modifies file system :
Creates the following files:
- <LS_APPDATA>\Microsoft\Internet Explorer\Recovery\High\Active\{EE7BAB48-DDEC-11E4-B9ED-85B6CFF65FF3}.dat
- %TEMP%\~DFA5C461B8E8FAFDAF.TMP
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\log[1]
- C:\ProgramData\wpcpetcn.exe
- <LS_APPDATA>\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EE7BAB46-DDEC-11E4-B9ED-85B6CFF65FF3}.dat
- %TEMP%\~DF3B827614E456935A.TMP
Network activity:
Connects to:
- '81.##.149.173':80
TCP:
HTTP GET requests:
- http://81.##.149.173/log?ev###########################################################
UDP:
- DNS ASK ie#####t.microsoft.com
- DNS ASK ie#####e.microsoft.com
- DNS ASK dn#.##ftncsi.com
- DNS ASK go.###rosoft.com
- DNS ASK ur#.##crosoft.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
