Win32.HLLW.Autoruner.50056

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MSWUpdate' = '"%APPDATA%\smss.exe"'
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'MSWUpdate' = '"%APPDATA%\smss.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Java update' = '%APPDATA%\Java update\java.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe "%APPDATA%\smss.exe"'

Malicious functions:

Creates and executes the following:

Executes the following:

<SYSTEM32>\netsh.exe firewall add allowedprogram "%APPDATA%\smss.exe" CityScape Enable
<SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java update" /t REG_SZ /d "%APPDATA%\Java update\java.exe" /f
<SYSTEM32>\cmd.exe /c """%TEMP%\BQuAP.bat"" "

Injects code into

the following system processes:

Hides the following processes:

Modifies file system :

Creates the following files:

%TEMP%\%USERNAME%7
%APPDATA%\%USERNAME%log.dat
%TEMP%\%USERNAME%2.txt
%APPDATA%\APyxK.exe
%APPDATA%\PyxKq.exe
%TEMP%\%USERNAME%8
<SYSTEM32>\Poursys\Battery.exe
%APPDATA%\Java update\java.exe
%TEMP%\BQuAP.bat
%APPDATA%\GVsBQ.exe
%APPDATA%\smss.exe
%APPDATA%\AcbQvETG
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\locate_my_ip[1]

Sets the 'hidden' attribute to the following files:

Deletes the following files:

Network activity:

Connects to:

TCP:

HTTP GET requests:

UDP:

Miscellaneous:

Searches for the following windows: