Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Infected' = '988c730b3a29eae19e2675dac14f9b42747d6f79f3a89987c4e464f081949c32988c730b3a29eae19e2675dac14f9b42'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Security Update' = '%HOMEPATH%\WindowsSecurityUpdate.exe /onboot'
Infects the following executable files
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\1033\dwintl20.dll
- C:\totalcmd\unrar64.dll
- C:\totalcmd\tcusbrun.exe
- C:\totalcmd\totalcmd64.exe
- C:\totalcmd\tcunzl64.dll
- C:\totalcmd\tcunin64.exe
- C:\totalcmd\tcmdx32.exe
- C:\totalcmd\tcmadm64.exe
- C:\totalcmd\tclzma64.dll
- C:\totalcmd\tc7z64.dll
- C:\totalcmd\noclose64.exe
- %HOMEPATH%\downloads\winamp5666_full_all.exe
- %HOMEPATH%\downloads\tcmd851ax64.exe
- %HOMEPATH%\downloads\pidgin-2.10.11.exe
- %HOMEPATH%\downloads\mirc741.exe
- C:\totalcmd\wcmicons.dll
- %HOMEPATH%\downloads\magent_rfrset.exe
- %HOMEPATH%\downloads\icq_rfrset.exe
- %HOMEPATH%\downloads\thunderbird setup 31.6.0.exe
- %HOMEPATH%\downloads\steamsetup.exe
- %HOMEPATH%\downloads\opera_ni_stable.exe
- %HOMEPATH%\downloads\k-lite_codec_pack_1110_mega_dlm.exe
- %HOMEPATH%\downloads\k-lite_codec_pack_1110_mega.exe
- %HOMEPATH%\downloads\chromesetup.exe
- %HOMEPATH%\desktop\tcm851ax32.exe
- %HOMEPATH%\desktop\notepad.exe
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\osetupui.dll
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\msvcr90.dll
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\dwtrig20.exe
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\dwdcw20.dll
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\dw20.exe
- %HOMEPATH%\downloads\jre-8u45-windows-x64.exe
- C:\totalcmd\wcmzip64.dll
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
blocks the following features:
- System Restore (SR)
deletes volume shadow copies.
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\000814251_video_01.avi
- %HOMEPATH%\desktop\region-north-karelia.jpg
- %HOMEPATH%\desktop\pushkin.jpeg
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\iisstart.html
- %HOMEPATH%\desktop\hanni_umami_chapter.doc
- %HOMEPATH%\desktop\dialmap.bmp
- %HOMEPATH%\desktop\dial.bmp
- %HOMEPATH%\desktop\dashborder_96.bmp
- %HOMEPATH%\desktop\tree_view.html
- %HOMEPATH%\desktop\dashborder_192.bmp
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\about.html
- %HOMEPATH%\desktop\4f0bf7ff71f28.jpg
- %HOMEPATH%\desktop\3.jpg
- %HOMEPATH%\desktop\3.jpeg
- %HOMEPATH%\desktop\13.jpg
- %HOMEPATH%\desktop\13.jpeg
- %HOMEPATH%\desktop\1189.jpg
- %HOMEPATH%\desktop\coffee.bmp
- %HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
Modifies file system
Creates the following files
- %HOMEPATH%\windowssecurityupdate.exe
Moves the following files
- from %HOMEPATH%\windowssecurityupdate.exe to %HOMEPATH%\windowssecurityupdate.exe.gonnacry
Modifies the following files
- C:\far2\addons\colors\custom_highlighting\import_colors.bat
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\propsww2.cab
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\propsww.cab
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\proplusww.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\proplusww.msi
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.xml
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.msi
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\owow32ww.cab
- C:\far2\plugins\ftp\notes_rus.txt
- C:\far2\plugins\ftp\notes.txt
- C:\far2\plugins\ftp\ftpcmds_rus.txt
- C:\far2\plugins\ftp\ftpcmds.txt
- C:\far2\documentation\rus\techinfo.txt
- C:\far2\documentation\rus\plugins_review.txt
- C:\far2\documentation\rus\plugins_install.txt
- C:\far2\documentation\rus\far_faq.txt
- C:\far2\documentation\rus\bug_report.txt
- C:\far2\documentation\rus\arc_support.txt
- C:\far2\documentation\eng\techinfo.txt
- C:\far2\documentation\eng\plugins_review.txt
- C:\far2\documentation\eng\plugins_install.txt
- C:\far2\documentation\eng\far_faq.txt
- C:\far2\documentation\eng\bug_report.txt
- C:\far2\documentation\eng\arc_support.txt
- C:\far2\addons\readme.txt
- C:\far2\addons\colors\import_colors.bat
- C:\far2\addons\colors\export_colors.bat
- C:\far2\addons\colors\default_highlighting\import_colors.bat
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\setup.xml
- C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab
Modifies multiple files.
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Executes the following
- '<SYSTEM32>\tasklist.exe' /FO csv
- '<SYSTEM32>\cmd.exe' /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog ...
- '<SYSTEM32>\vssadmin.exe' delete shadow /all /quiet
- '<SYSTEM32>\cmd.exe' /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures <SYSTEM32>\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet
- '<SYSTEM32>\cmd.exe' /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "%HOMEPATH%\WindowsSecurityUpdate.exe /onboot" /f
- '<SYSTEM32>\reg.exe' ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "%HOMEPATH%\WindowsSecurityUpdate.exe /onboot" /f
