Technical Information
Malicious functions:
Executes the following:
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' -Embedding
- '%WINDIR%\explorer.exe' http://cr#####re-megacheat.ru
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\empty.bat""
- '%WINDIR%\explorer.exe' http://www.re##hack.ru/forums/chity-dlja-crossfire-rucf.2/
Modifies file system:
Creates the following files:
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\chity-dlja-crossfire-rucf[1]
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\crossfire-megacheat[1]
- %TEMP%\1.tmp\empty.bat
- <Current directory>\R
- %TEMP%\80EB2F5C
Deletes the following files:
- %TEMP%\1.tmp\empty.bat
Moves the following files:
- from <Current directory>\R to <Current directory>\RF020.REZ
Network activity:
Connects to:
- 'localhost':1039
- 'cr#####re-megacheat.ru':80
- 'localhost':1036
- 'www.re##hack.ru':80
TCP:
HTTP GET requests:
- http://cr#####re-megacheat.ru/
- http://www.re##hack.ru/forums/chity-dlja-crossfire-rucf.2/
UDP:
- DNS ASK cr#####re-megacheat.ru
- DNS ASK www.re##hack.ru
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
