Technical Information
Malicious functions:
Creates and executes the following:
- %WINDIR%\system\amarela.exe (downloaded from the Internet)
- %WINDIR%\system\winkill.exe (downloaded from the Internet)
- %WINDIR%\system\Internet8.exe (downloaded from the Internet)
- %WINDIR%\system\InternetBradesco.exe (downloaded from the Internet)
Modifies file system :
Creates the following files:
- %WINDIR%\system\amarela.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\Amarela[1].jpg
- %WINDIR%\system\winkill.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\winkill[1].jpg
- %WINDIR%\system\Internet8.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\Vermelha[1].jpg
- %WINDIR%\system\InternetBradesco.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\Red[1].jpg
Network activity:
Connects to:
- 'www.li####line.zxq.net':80
- 'localhost':1036
TCP:
HTTP GET requests:
- www.li####line.zxq.net/Amarela.jpg
- www.li####line.zxq.net/winkill.jpg
- www.li####line.zxq.net/Vermelha.jpg
- www.li####line.zxq.net/Red.jpg
UDP:
- DNS ASK www.li####line.zxq.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WINHELP' WindowName: ''
