Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'adtime.exe' = 'c:\programdata\adtime.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\adtime.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\programdata\adtime.exe' = 'C:\programdata\adtime.exe:*:Enabled:adtime'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:<Virus name>'
Creates and executes the following:
- 'C:\programdata\system.exe'
- 'C:\programdata\adtime.exe'
- 'C:\programdata\system.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\attrib.exe' e:\autorun.inf +s +h +r
- '<SYSTEM32>\attrib.exe' z: [\\.host\Shared Folders\vm_shara]\adtime.exe -s -r
- '<SYSTEM32>\attrib.exe' e:\autorun.inf -s -r
- '<SYSTEM32>\attrib.exe' e:\adtime.exe -s -r
- '<SYSTEM32>\attrib.exe' e:\adtime.exe +s +h +r
- '<SYSTEM32>\attrib.exe' c:\programdata +s +h +r
- '<SYSTEM32>\cmd.exe' /c c:\programdata\runupdate.cmd
- '<SYSTEM32>\attrib.exe' z: [\\.host\Shared Folders\vm_shara]\autorun.inf +s +h +r
- '<SYSTEM32>\attrib.exe' z: [\\.host\Shared Folders\vm_shara]\adtime.exe +s +h +r
- '<SYSTEM32>\attrib.exe' z: [\\.host\Shared Folders\vm_shara]\autorun.inf -s -r
- '<SYSTEM32>\attrib.exe' c:\adtime.exe +s +h +r
- '<SYSTEM32>\attrib.exe' c:\autorun.inf -s -r
- '<SYSTEM32>\attrib.exe' c:\adtime.exe -s -r
- '<SYSTEM32>\cmd.exe' /c c:\programdata\sys2.cmd
- '<SYSTEM32>\cmd.exe' /c c:\programdata\sys.cmd
- '<SYSTEM32>\attrib.exe' <Drive name for removable media>:\autorun.inf -s -r
- '<SYSTEM32>\attrib.exe' <Drive name for removable media>:\autorun.inf +s +h +r
- '<SYSTEM32>\attrib.exe' <Drive name for removable media>:\adtime.exe +s +h +r
- '<SYSTEM32>\attrib.exe' c:\autorun.inf +s +h +r
- '<SYSTEM32>\attrib.exe' <Drive name for removable media>:\adtime.exe -s -r
Modifies file system :
Creates the following files:
- C:\programdata\runupdate.cmd
- C:\programdata\updated
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\system[1].exe
- C:\programdata\system.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\command[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\system[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\command[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\system[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\command[1]
- C:\programdata\autorun.inf
- C:\programdata\sys2.cmd
- C:\programdata\adtime.exe
- C:\autorun.inf
- C:\programdata\06-27-2013
- C:\programdata\sys.cmd
- C:\adtime.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\adtime.exe
- <Drive name for removable media>:\autorun.inf
- C:\adtime.exe
- C:\autorun.inf
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\system[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\command[1]
- %TEMP%\~DF3F5B.tmp
- %TEMP%\~DFBFA0.tmp
- %TEMP%\~DFE9C1.tmp
- %TEMP%\~DF76D5.tmp
- %TEMP%\~DF4C7E.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\system[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\command[1]
Network activity:
Connects to:
- 'localhost':1041
- 'fu####s.allalla.com':80
- 'localhost':1037
- 'fu####s.allalla.com':21
TCP:
HTTP GET requests:
- fu####s.allalla.com/system.exe
- fu####s.allalla.com/command
UDP:
- DNS ASK fu####s.allalla.com
