Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'GrpConv' = 'grpconv -o'
- [<HKLM>\SOFTWARE\Classes\MSProgramGroup\Shell\Open\Command] '' = '<SYSTEM32>\grpconv.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '5ffda' = '%APPDATA%\u58tuv6.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\21917368] 'Name' = '"%TEMP%\5.tmp"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Sxikihuvuw' = 'rundll32.exe "%WINDIR%\momsi2r.dll",Startup'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\MouseDriver] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- %APPDATA%\u58tuv6.exe -d0516BE54A86F5D82D524D5F20C48747105902C5C9AF8539A0D6164123CEACBA3CAB6FDE0473B6D33DBAF238C003EFAD24B88CB235FF41B477148FF83136C5220155C76D9C5CD31DDD495682FA15ACAC0C6F1A0EC13A266665DEFD3BBCE3A79FF91C63022130DD6663AFC386F30F32075BD00D0E3471C81B6EAC895DB502E9E5C25336FC66123CA1EC4F5693A2DE979FDB954C0C0CBCAF8B771EA3966B9675CB4FB9EB8C52147B8946D3A0F555BC5943F84EF14A7B2909A238A87F6796B5391727D02D1C3034E906B6D1D7FE5B9286B2C2698B1F44C0172FE0FEC3FAF06C05B8C52EEBDB1F94B7CCD3D3C4FDE89433D7EE8DDBE972B58CE7A19A9CB436B90157E648AC36934BCEB5F9770536F4C05874155F59EA71E313AA100378DC5BC115D67DC906691246F88B5724CA1DEC2DC05E933E5F64C37B585B45E6DBBCC59201163246A6D177B9F43FC09188DC0EE2FB5528D86ADEDC742BA460CA5CAA0E3074C34E386DCC1293746EDD406ACF00FD9D3B4AB04E68E6033271422D96F7B3CBC6DD6032CF84F600C00F28CFAD459A752DD6417090647D13B5835FA3F9F0C844E0FF7AD2547FB90321D4C2ABF196677A890559AECB46A2D611CF12D1A8E3B1C6E10064AE48CBE6BE38AACE845D060800CE7983BD3D2A9C4B77ED09494B30DA64C8E9B8278CD2AE22774AB3E118F3003ED2260462788932697CC7E479AC10402E8E4B3409950BA25E54996
- "%TEMP%\hvgxrel.exe" (downloaded from the Internet)
- "%TEMP%\vlflp.exe" (downloaded from the Internet)
- "%TEMP%\ojiunesf.exe" (downloaded from the Internet)
- "%TEMP%\vyxp.exe" (downloaded from the Internet)
- "%TEMP%\jvowus.exe" (downloaded from the Internet)
- "%TEMP%\nsnu.exe" (downloaded from the Internet)
- "%TEMP%\ysxenhy.exe" (downloaded from the Internet)
- "%TEMP%\vhglsog.exe" (downloaded from the Internet)
- "%TEMP%\rlupkh.exe" (downloaded from the Internet)
- "%TEMP%\ikrjim.exe" (downloaded from the Internet)
- "%TEMP%\dxybapfj.exe" (downloaded from the Internet)
- "%TEMP%\750234914" (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\runonce.exe -r
- <SYSTEM32>\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 %APPDATA%\mdinstall.inf
- <SYSTEM32>\net1.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
- <SYSTEM32>\rundll32.exe "%WINDIR%\momsi2r.dll",iep
- <SYSTEM32>\grpconv.exe -o
- <SYSTEM32>\cmd.exe /c "%APPDATA%\3va3x6d11.bat"
- <SYSTEM32>\net1.exe stop "Security Center"
- <SYSTEM32>\net.exe stop "Security Center"
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\rundll32.exe "%WINDIR%\momsi2r.dll",Startup
- <SYSTEM32>\sc.exe config SharedAccess start= DISABLED
- <SYSTEM32>\net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
- <SYSTEM32>\sc.exe config wscsvc start= DISABLED
Injects code into
the following system processes:
- <SYSTEM32>\spoolsv.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\klppp[1].php
- %TEMP%\Rlb..bat
- %TEMP%\vlflp.exe
- %TEMP%\ojiunesf.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\obcptx[1].php
- %TEMP%\dxybapfj.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\wjwjwaobfs[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\sftkxkb[1].php
- %APPDATA%\3va3x6d11.bat
- %TEMP%\ikrjim.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\xxobo[1].php
- %TEMP%\vyxp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\gqquulypp[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\gggklycc[1].php
- %WINDIR%\afosuzogerutew.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\CA012345.php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\oyppct[1].php
- %TEMP%\hvgxrel.exe
- %TEMP%\nsnu.exe
- %TEMP%\jvowus.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\pcppgk[1].php
- %TEMP%\nss3.tmp\IR.exe
- %TEMP%\nss3.tmp\6tbp.exe
- %WINDIR%\momsi2r.dll
- %WINDIR%\Temp\6.tmp
- %TEMP%\4.tmp
- %TEMP%\nss3.tmp\ic2.exe
- %TEMP%\nsx2.tmp
- %TEMP%\nss3.tmp\1EuroP.exe
- %TEMP%\nss3.tmp\3E4U - Bucks.exe
- %TEMP%\nss3.tmp\2IC.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ndrei[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\iwwnnrvi[1].php
- %TEMP%\ysxenhy.exe
- %TEMP%\750234914
- %APPDATA%\mdinstall.inf
- %APPDATA%\MouseDriver.bat
- %APPDATA%\u58tuv6.exe
- %TEMP%\vhglsog.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\jjnaeei[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\cpptuxlpc[1].php
- %TEMP%\rlupkh.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\MouseDriver.bat
Deletes the following files:
- <DRIVERS>\etc\hosts
- %TEMP%\5.tmp
- %WINDIR%\Temp\6.tmp
- <SYSTEM32>\svchost.exe
- %APPDATA%\mdinstall.inf
- %TEMP%\nss3.tmp\2IC.exe
- %TEMP%\nss3.tmp\1EuroP.exe
- %TEMP%\nss3.tmp\3E4U - Bucks.exe
- %TEMP%\nss3.tmp\IR.exe
- %TEMP%\nss3.tmp\ic2.exe
Network activity:
Connects to:
- 'localhost':1041
- '10######062f.wordbean.net':80
- 'w.#####ardiscover.com':888
- 'br###tlegume.in':80
- 'ca###iod.com':80
TCP:
HTTP GET requests:
- ca###iod.com/pxxko/oyppct.php?ad################################
- ca###iod.com/pxxko/xxobo.php?ad################################
- ca###iod.com/pxxko/obcptx.php?ad################################
- ca###iod.com/pxxko/gggklycc.php?ad##############################################################
- ca###iod.com/pxxko/gqquulypp.php?ad################################
- ca###iod.com/pxxko/pcppgk.php?ad################################
- ca###iod.com/pxxko/klppp.php?ad################################
- ca###iod.com/pxxko/cpptuxlpc.php?ad################################
- ca###iod.com/pxxko/jjnaeei.php?ad################################
- ca###iod.com/pxxko/ndrei.php?ad################################
- ca###iod.com/pxxko/sftkxkb.php?ad################################
- ca###iod.com/pxxko/wjwjwaobfs.php?ad################################
- ca###iod.com/pxxko/iwwnnrvi.php?ad################################
HTTP POST requests:
- br###tlegume.in/90ds8c9ds8c9d0s8cds.php?in##############################################################################################################
UDP:
- DNS ASK ca###iod.com
- DNS ASK w.#####ardiscover.com
- DNS ASK 10######062f.wordbean.net
- DNS ASK br###tlegume.in
- DNS ASK ti##pic.com
- DNS ASK ma##h.com
- DNS ASK da##.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'CSCHiddenWindow' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
