Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'И¤НжУОП·' = '<Drive name for removable media>:\И¤НжУОП·\17wan.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\И¤НжУОП·\offline.html
- <Drive name for removable media>:\И¤НжУОП·\offlinel.html
- <Drive name for removable media>:\И¤НжУОП·\logo.ico
- <Drive name for removable media>:\И¤НжУОП·\minibrowser.exe
- <Drive name for removable media>:\И¤НжУОП·\И¤НжНш.lnk
- <Drive name for removable media>:\И¤НжУОП·\images\loading.gif
- <Drive name for removable media>:\И¤НжУОП·\images\platformbg.jpg
- <Drive name for removable media>:\И¤НжУОП·\images\bg.jpg
- <Drive name for removable media>:\И¤НжУОП·\images\loading-s.gif
- <Drive name for removable media>:\И¤НжУОП·\hosts
- <Drive name for removable media>:\И¤НжУОП·\DownLoad.dll
- <Drive name for removable media>:\И¤НжУОП·\Mfc71.dll
- <Drive name for removable media>:\И¤НжУОП·\17Wan.exe
- <Drive name for removable media>:\И¤НжУОП·\ComService.dll
- <Drive name for removable media>:\И¤НжУОП·\Msvcp71.dll
- <Drive name for removable media>:\И¤НжУОП·\SkinControls.dll
- <Drive name for removable media>:\И¤НжУОП·\SocketModule.dll
- <Drive name for removable media>:\И¤НжУОП·\Msvcr71.dll
- <Drive name for removable media>:\И¤НжУОП·\QvodSetupPlus3.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Drive name for removable media>:\И¤НжУОП·\QvodSetupPlus3.exe' = '<Drive name for removable media>:\И¤НжУОП·\QvodSetupPlus3.exe:*:Enabled:QVOD'
Creates and executes the following:
- <Drive name for removable media>:\И¤НжУОП·\QvodSetupPlus3.exe
- <Drive name for removable media>:\И¤НжУОП·\minibrowser.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Desktop\И¤НжНш.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\minibrowser[1].php
- %HOMEPATH%\Desktop\И¤НжУОП·.lnk
- %HOMEPATH%\Start Menu\Programs\И¤НжУОП·\И¤НжУОП·.lnk
- %HOMEPATH%\Start Menu\Programs\И¤НжУОП·\И¤НжУОП·.url
Deletes the following files:
- <Drive name for removable media>:\И¤НжУОП·\hosts
Network activity:
Connects to:
- 'sn#.#78bfg.com':80
- 'ag###.qvod.com':80
- 'localhost':1038
- 'up###e.qvod.com':80
TCP:
HTTP GET requests:
- sn#.#78bfg.com/minibrowser.php?ur############################
- up###e.qvod.com/qd.jpg
UDP:
- DNS ASK st##.qvod.com
- DNS ASK st####.sipphone.com
- DNS ASK ag###.qvod.com
- DNS ASK tr###.qvod.com
- DNS ASK up###e.qvod.com
- DNS ASK sn#.#78bfg.com
- 'tr###.qvod.com':80
- '23#.#55.255.250':1900
- 'st##.qvod.com':3478
- 'st####.sipphone.com':3478
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
