Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Live' = '<Full path to file>'
Malicious functions
Injects code into
the following user processes:
- svchost.exe
Modifies file system
Creates the following files
- %TEMP%\svchost.exe
Sets the 'hidden' attribute to the following files
- %TEMP%\svchost.exe
Network activity
UDP
- DNS ASK si##.no-ip.info
Miscellaneous
Searches for the following windows
- ClassName: '#32770' WindowName: 'Program Manager'
- ClassName: '#32770' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
Creates and executes the following
- '%TEMP%\svchost.exe'
- '%WINDIR%\syswow64\cmd.exe' /k attrib "%TEMP%\svchost.exe" +s +h' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /k attrib "%LOCALAPPDATA%\Temp" +s +h' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /k attrib "%TEMP%\svchost.exe" +s +h
- '%WINDIR%\syswow64\cmd.exe' /k attrib "%LOCALAPPDATA%\Temp" +s +h
- '%WINDIR%\syswow64\attrib.exe' "%LOCALAPPDATA%\Temp" +s +h
- '%WINDIR%\syswow64\attrib.exe' "%TEMP%\svchost.exe" +s +h
