Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'Policies' = '<SYSTEM32>\install\server.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Policies' = '<SYSTEM32>\install\server.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'HKLM' = '<SYSTEM32>\install\server.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HKCU' = '<SYSTEM32>\install\server.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}] 'StubPath' = '<SYSTEM32>\install\server.exe Restart'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}] 'StubPath' = '<SYSTEM32>\install\server.exe'
Malicious functions:
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
the following user processes:
- server.exe
Modifies file system:
Creates the following files:
- <SYSTEM32>\install\server.exe
- %TEMP%\XX--XX--XX.txt
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
- %TEMP%\140953.tmp
- %APPDATA%\SQLite3.dll
- <SYSTEM32>\conf.ini
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\install\server.exe
Deletes the following files:
- %TEMP%\XX--XX--XX.txt
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
Substitutes the following files:
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
Network activity:
Connects to:
- 'localhost':1037
- 'se##er.com':80
- 'ch#####x.justfree.com':80
- 'gr####.no-ip.biz':200
- 'gr####.no-ip.biz':2000
TCP:
HTTP GET requests:
- http://www.se##er.com/sqlite3.dll via se##er.com
- http://ch#####x.justfree.com/arquivo.txt
UDP:
- DNS ASK ch#####x.justfree.com
- DNS ASK www.se##er.com
- DNS ASK gr####.no-ip.biz
Miscellaneous:
Creates and executes the following:
- '<Full path to file>'
- '<SYSTEM32>\install\server.exe'
Executes the following:
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE'
