Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'safe' = '%WINDIR%\safe.vbs'
Malicious functions:
Creates and executes the following:
- '%WINDIR%\f5desk.exe' /pid=2460
- '%WINDIR%\attrib.exe'
- '%WINDIR%\f5desk.exe' "%APPDATA%\2345.COM\url.ini" /c /p everyone:f
- '%WINDIR%\attrib.exe' /pid=3632
- '%WINDIR%\attrib.exe' 127.0.0.1 -n 2
- '%WINDIR%\attrib.exe' /pid=284
- '%WINDIR%\attrib.exe' /pid=3904
- '%WINDIR%\attrib.exe' /pid=300
- '%WINDIR%\f5desk.exe' /pid=2712
- '%WINDIR%\attrib.exe' "%APPDATA%\2345.COM\url.ini" /c /p everyone:f
- '%WINDIR%\attrib.exe' /pid=1520
- '%WINDIR%\attrib.exe' /pid=3528
- '%WINDIR%\attrib.exe' "%APPDATA%\2345.COM\desk.exe" -s -h -r
- '%WINDIR%\attrib.exe' "%APPDATA%\2345.COM\desk.exe" +r
- '%WINDIR%\attrib.exe' "%APPDATA%\2345.COM\url.ini" +r
- '%WINDIR%\desk.exe'
- '%WINDIR%\attrib.exe' "%APPDATA%\2345.COM\url.ini" -s -h -r
- '%WINDIR%\f5desk.exe'
- '%WINDIR%\attrib.exe' /S /D /c" echo y"
- '%WINDIR%\f5desk.exe' /pid=3456
- '%WINDIR%\attrib.exe' /pid=3400
- '%WINDIR%\attrib.exe' "%APPDATA%\2345.COM\desk.exe" /c /p everyone:f
- '%WINDIR%\attrib.exe' /pid=3300
Executes the following:
- '<SYSTEM32>\ping.exe' "%APPDATA%\2345.COM\desk.exe" /c /p everyone:f
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\url.ini" -s -h -r
- '<SYSTEM32>\cacls.exe' /pid=3576
- '<SYSTEM32>\ping.exe' /pid=3952
- '<SYSTEM32>\cacls.exe' /pid=3856
- '<SYSTEM32>\cacls.exe' /pid=3736
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\desk.exe" -s -h -r
- '<SYSTEM32>\cacls.exe' /S /D /c" echo y"
- '<SYSTEM32>\attrib.exe'
- '<SYSTEM32>\ping.exe' /pid=3516
- '<SYSTEM32>\cacls.exe' /pid=3440
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\desk.exe" +r
- '<SYSTEM32>\cacls.exe' /pid=3992
- '<SYSTEM32>\attrib.exe' /pid=764
- '<SYSTEM32>\ping.exe' /pid=3108
- '<SYSTEM32>\cacls.exe'
- '<SYSTEM32>\cacls.exe' /pid=1364
- '<SYSTEM32>\cacls.exe' /pid=3468
- '<SYSTEM32>\ping.exe' /pid=3256
- '<SYSTEM32>\cacls.exe' /pid=2768
- '<SYSTEM32>\ping.exe' /pid=2784
- '<SYSTEM32>\ping.exe' /pid=2516
- '<SYSTEM32>\attrib.exe' /pid=3032
- '<SYSTEM32>\cacls.exe' /pid=3016
- '<SYSTEM32>\attrib.exe' /S /D /c" echo y"
- '<SYSTEM32>\attrib.exe' "%APPDATA%\2345.COM\desk.exe" +r
- '<SYSTEM32>\attrib.exe' "%PROGRAM_FILES%\CoralExplorer\2345.exe" -s -h -r
- '<SYSTEM32>\cacls.exe' "%PROGRAM_FILES%\CoralExplorer\2345.exe" /c /p everyone:f
- '<SYSTEM32>\attrib.exe' "%HOMEPATH%\DESKTOP\2345═°╓╖╡╝║╜.lnk" -s-h -r
- '<SYSTEM32>\attrib.exe' "%ALLUSERSPROFILE%\╫└├ц\Internet Explorer.lnk" +r
- '<SYSTEM32>\attrib.exe' "%ALLUSERSPROFILE%\╫└├ц\Internet Explorer.lnk" -s -h -r
- '<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\╫└├ц\Internet Explorer.lnk" /c /p everyone:f
- '%WINDIR%\regedit.exe' -s %WINDIR%\drivers.sys
- '<SYSTEM32>\cmd.exe' /c ""%WINDIR%\sdly.bat" "
- '<SYSTEM32>\wscript.exe' "%WINDIR%\sdly.vbs"
- '<SYSTEM32>\cacls.exe' "%HOMEPATH%\DESKTOP\2345═°╓╖╡╝║╜.lnk" /c /p everyone:f
- '<SYSTEM32>\reg.exe' DELETE HKCR\piffile /v IsShortcut /f
- '<SYSTEM32>\reg.exe' DELETE HKCR\lnkfile /v IsShortcut /f
- '<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\╫└├ц\Internet Explorer.lnk" /c /p everyone:r
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\desk.exe" /c /p everyone:r
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\desk.exe" /c /p everyone:f
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\url.ini" /c /p everyone:r
- '<SYSTEM32>\cacls.exe' /pid=2984
- '<SYSTEM32>\attrib.exe' /pid=2936
- '<SYSTEM32>\cacls.exe' /pid=2560
- '<SYSTEM32>\attrib.exe' "c:\users\public\desktop\Internet Explorer.lnk" +r
- '<SYSTEM32>\attrib.exe' "c:\users\public\desktop\Internet Explorer.lnk" -s -h -r
- '<SYSTEM32>\cacls.exe' "c:\users\public\desktop\Internet Explorer.lnk" /c /p everyone:f
- '<SYSTEM32>\cacls.exe' "%APPDATA%\2345.COM\url.ini" /c /p everyone:f
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 2
- '<SYSTEM32>\cacls.exe' "c:\users\public\desktop\Internet Explorer.lnk" /c /p everyone:r
Injects code into
the following system processes:
- <SYSTEM32>\cacls.exe
- <SYSTEM32>\ping.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\attrib.exe
Forces autoplay for removable media.
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %WINDIR%\ie.lnk
- %APPDATA%\2345.com\desk.exe
- %WINDIR%\url.ini
- %WINDIR%\sdly.bat
- %WINDIR%\sdly.vbs
- %APPDATA%\2345.com\url.ini
- %APPDATA%\2345.com\2345网址导航.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\2345网址导航.lnk
- %HOMEPATH%\Desktop\2345网址导航.lnk
- %HOMEPATH%\Start Menu\2345网址导航.lnk
- %WINDIR%\safe.vbs
- %WINDIR%\desk.exe
- %WINDIR%\dnsxp.vbs
- %WINDIR%\attrib.exe
- %TEMP%\Info\bak.jpg
- %TEMP%\Info\title.jpg
- %WINDIR%\drivers.sys
- %WINDIR%\help.dat
- %WINDIR%\safe.bat
- %WINDIR%\glimmer.exe
- %WINDIR%\f5desk.exe
- %WINDIR%\glimmer.bat
Deletes the following files:
- %TEMP%\~DF1D74.tmp
- %TEMP%\~DFDDD0.tmp
- %TEMP%\~DF5D98.tmp
- %TEMP%\~DFE574.tmp
- %TEMP%\~DFA561.tmp
- %TEMP%\~DF9DE0.tmp
- %TEMP%\~DFC938.tmp
- %TEMP%\~DF895A.tmp
- %TEMP%\~DF8FE.tmp
- %TEMP%\~DF5E0E.tmp
- %TEMP%\~DF45F8.tmp
- %TEMP%\~DF311D.tmp
- %APPDATA%\2345.com\url.ini
- %TEMP%\~DF1E6A.tmp
- %TEMP%\~DF5D73.tmp
- %TEMP%\Info\bak.jpg
- %TEMP%\Info\title.jpg
- %TEMP%\~DFDD5C.tmp
- %TEMP%\~DFCF7E.tmp
- %TEMP%\~DF7C81.tmp
- %TEMP%\~DFFC5.tmp
- %TEMP%\~DF9C85.tmp
- %TEMP%\~DF5BE0.tmp
Network activity:
Connects to:
- 'un####.50bang.org':80
TCP:
HTTP GET requests:
- un####.50bang.org/web/ajax57?uI######################################################
UDP:
- DNS ASK un####.50bang.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'MS_WINHELP' WindowName: '(null)'
- ClassName: 'STATIC' WindowName: '00000B0C_PID_FastMM'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
