Technical Information
Malicious functions:
Creates and executes the following:
- "%TEMP%\~!09wxe09.tmp" (downloaded from the Internet)
- "%TEMP%\~!09wte09.tmp" (downloaded from the Internet)
- "%TEMP%\~!0958e09.tmp" (downloaded from the Internet)
- "%TEMP%\~!09wee09.tmp" (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\spoolsv.exe
Modifies file system :
Creates the following files:
- %TEMP%\~!09wxe09.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\2[1].bin
- %TEMP%\~!09wte09.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\3[1].bin
- %TEMP%\~!09wee09.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\4[1].bin
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\chaji[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\1[1].bin
- %TEMP%\~!0958e09.tmp
Network activity:
Connects to:
- 'localhost':1038
- 'sb.##fabcd.info':80
- 'localhost':1035
- 'www.dn##1.com':80
TCP:
HTTP GET requests:
- sb.##fabcd.info/chaji/2.bin
- sb.##fabcd.info/chaji/3.bin
- sb.##fabcd.info/chaji/1.bin
- www.dn##1.com/mfsm/chaji/chaji.htm
- sb.##fabcd.info/chaji/4.bin
UDP:
- DNS ASK sb.##fabcd.info
- DNS ASK www.dn##1.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
