Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'drvsyskit' = '%APPDATA%\drivers\winupgro.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\srosa] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\srosa] 'ImagePath' = '<SYSTEM32>\wfsintwq.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\sK9Ou0s] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\sK9Ou0s] 'ImagePath' = '<SYSTEM32>\srosa2.sys'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
blocks the following features:
- User Account Control (UAC)
Executes the following:
- '%APPDATA%\drivers\winupgro.exe'
Terminates or attempts to terminate
a large number of user processes.
Searches for windows to
detect analytical utilities:
- ClassName: '' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: ''
- ClassName: '' WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass' WindowName: ''
- ClassName: '' WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'GBDYLLO' WindowName: ''
- ClassName: 'OLLYDBG' WindowName: ''
- ClassName: 'FilemonClass' WindowName: ''
- ClassName: 'pediy06' WindowName: ''
Restores hooked functions in System Service Descriptor Table (SSDT).
Hides the following processes:
- %APPDATA%\drivers\winupgro.exe
Modifies file system:
Creates the following files:
- %APPDATA%\drivers\downld\203109.exe
- %APPDATA%\drivers\downld\203531.exe
- %APPDATA%\drivers\downld\200843.exe
- %APPDATA%\drivers\downld\201687.exe
- %APPDATA%\drivers\downld\209578.exe
- %APPDATA%\drivers\downld\210390.exe
- %APPDATA%\drivers\downld\205593.exe
- %APPDATA%\drivers\downld\207703.exe
- %APPDATA%\drivers\downld\190656.exe
- %APPDATA%\drivers\downld\191812.exe
- %APPDATA%\drivers\downld\187406.exe
- %APPDATA%\drivers\downld\188234.exe
- %APPDATA%\drivers\downld\197546.exe
- %APPDATA%\drivers\downld\198781.exe
- %APPDATA%\drivers\downld\193703.exe
- %APPDATA%\drivers\downld\195390.exe
- %APPDATA%\drivers\downld\227421.exe
- %APPDATA%\drivers\downld\229562.exe
- %APPDATA%\drivers\downld\224828.exe
- %APPDATA%\drivers\downld\225640.exe
- %APPDATA%\drivers\downld\234390.exe
- %APPDATA%\drivers\downld\235031.exe
- %APPDATA%\drivers\downld\232171.exe
- %APPDATA%\drivers\downld\232546.exe
- %APPDATA%\drivers\downld\215968.exe
- %APPDATA%\drivers\downld\217406.exe
- %APPDATA%\drivers\downld\212796.exe
- %APPDATA%\drivers\downld\213968.exe
- %APPDATA%\drivers\downld\222234.exe
- %APPDATA%\drivers\downld\223125.exe
- %APPDATA%\drivers\downld\219296.exe
- %APPDATA%\drivers\downld\219750.exe
- %APPDATA%\drivers\downld\161281.exe
- %APPDATA%\drivers\downld\162765.exe
- %APPDATA%\drivers\downld\158718.exe
- %APPDATA%\drivers\downld\159078.exe
- %APPDATA%\drivers\downld\165531.exe
- %APPDATA%\drivers\downld\165890.exe
- %APPDATA%\drivers\downld\163937.exe
- %APPDATA%\drivers\downld\164312.exe
- <SYSTEM32>\wfsintwq.sys
- %APPDATA%\drivers\downld\152796.exe
- %APPDATA%\drivers\winupgro.exe
- <SYSTEM32>\srosa2.sys
- %APPDATA%\drivers\downld\157187.exe
- %APPDATA%\drivers\downld\157546.exe
- %APPDATA%\drivers\downld\155468.exe
- %APPDATA%\drivers\downld\155828.exe
- %APPDATA%\drivers\downld\180218.exe
- %APPDATA%\drivers\downld\180625.exe
- %APPDATA%\drivers\downld\178453.exe
- %APPDATA%\drivers\downld\178796.exe
- %APPDATA%\drivers\downld\183921.exe
- %APPDATA%\drivers\downld\185500.exe
- %APPDATA%\drivers\downld\181078.exe
- %APPDATA%\drivers\downld\181546.exe
- %APPDATA%\drivers\downld\169765.exe
- %APPDATA%\drivers\downld\170500.exe
- %APPDATA%\drivers\downld\167375.exe
- %APPDATA%\drivers\downld\167890.exe
- %APPDATA%\drivers\downld\176328.exe
- %APPDATA%\drivers\downld\177125.exe
- %APPDATA%\drivers\downld\172187.exe
- %APPDATA%\drivers\downld\173843.exe
Network activity:
Connects to:
- 'al###onacina.it':80
- 'iq#.com.au':80
- 'www.me####e.pucon.com':80
- 'av####.siorc.com':80
- 'pa#####llodelsenegal.it':80
- 'tr####l-a-dom.com':80
- 'www.ha####doweb.com.ar':80
- 'au####rtualetb.com':80
- 'oc###n.com.br':80
- 'da####rmas24.com':80
- 'ho###ebperu.com':80
- 'www.av##tura.tv':80
- 'www.we####instrand.nl':80
- 'ir#.cl':80
- 'co######irosdobrasil.net':80
- 'an###appert.nl':80
- 'ab###r.co.uk':80
- 'me#####tesannonces.fr':80
- 'dj###ree.info':80
- 'www.br###mann-es.de':80
- 'kt#####tware.home.pl':80
- '74.##5.232.51':80
- 'bi##eh.pl':80
- 'do#####one.cwsurf.de':80
- '21#.#44.224.5':80
- 'www.di####ioniarredi.it':80
- 'ac####rmatica.net':80
- 'www.ev######iadecampo.com.ar':80
- 'www.de####klumpp.info':80
- 'mu####ahamurcu.com':80
- 'ho###alsole.it':80
- 'so#####.awardspace.com':80
TCP:
HTTP GET requests:
- http://al###onacina.it/dwld32.php?cr#####
- http://av####.siorc.com/dwld32.php?cr#####
- http://www.me####e.pucon.com/dwld32.php?cr#####
- http://iq#.com.au/dwld32.php?cr#####
- http://pa#####llodelsenegal.it/dwld32.php?cr#####
- http://au####rtualetb.com/dwld32.php?cr#####
- http://www.ha####doweb.com.ar/dwld32.php?cr#####
- http://ir#.cl/dwld32.php?cr#####
- http://oc###n.com.br/dwld32.php?cr#####
- http://www.av##tura.tv/dwld32.php?cr#####
- http://ho###ebperu.com/dwld32.php?cr#####
- http://da####rmas24.com/dwld32.php?cr#####
- http://www.we####instrand.nl/dwld32.php?cr#####
- http://an###appert.nl/dwld32.php?cr#####
- http://co######irosdobrasil.net/dwld32.php?cr#####
- http://tr####l-a-dom.com/dwld32.php?cr#####
- http://ab###r.co.uk/dwld32.php?cr#####
- http://www.br###mann-es.de/dwld32.php?cr#####
- http://dj###ree.info/dwld32.php?cr#####
- http://me#####tesannonces.fr/dwld32.php?cr#####
- http://kt#####tware.home.pl/dwld32.php?cr#####
- http://do#####one.cwsurf.de/dwld32.php?cr#####
- http://bi##eh.pl/dwld32.php?cr#####
- http://mu####ahamurcu.com/dwld32.php?cr#####
- http://21#.#44.224.5/dwld32.php?cr#####
- http://www.ev######iadecampo.com.ar/dwld32.php?cr#####
- http://ac####rmatica.net/dwld32.php?cr#####
- http://www.di####ioniarredi.it/dwld32.php?cr#####
- http://www.de####klumpp.info/dwld32.php?cr#####
- http://so#####.awardspace.com/dwld32.php?cr#####
- http://ho###alsole.it/dwld32.php?cr#####
UDP:
- DNS ASK al###onacina.it
- DNS ASK av####.siorc.com
- DNS ASK www.me####e.pucon.com
- DNS ASK iq#.com.au
- DNS ASK pa#####llodelsenegal.it
- DNS ASK au####rtualetb.com
- DNS ASK www.ha####doweb.com.ar
- DNS ASK ir#.cl
- DNS ASK oc###n.com.br
- DNS ASK www.av##tura.tv
- DNS ASK ho###ebperu.com
- DNS ASK da####rmas24.com
- DNS ASK www.we####instrand.nl
- DNS ASK an###appert.nl
- DNS ASK co######irosdobrasil.net
- DNS ASK tr####l-a-dom.com
- DNS ASK me#####tesannonces.fr
- DNS ASK ab###r.co.uk
- DNS ASK www.br###mann-es.de
- DNS ASK bi##eh.pl
- DNS ASK google.com
- DNS ASK kt#####tware.home.pl
- DNS ASK do#####one.cwsurf.de
- DNS ASK dj###ree.info
- DNS ASK www.di####ioniarredi.it
- DNS ASK www.ev######iadecampo.com.ar
- DNS ASK ac####rmatica.net
- DNS ASK ho###alsole.it
- DNS ASK mu####ahamurcu.com
- DNS ASK www.de####klumpp.info
- DNS ASK so#####.awardspace.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'AavmMessageClass' WindowName: ''
