Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Yahoo Messengger' = '<SYSTEM32>\system3_.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe system3_.exe'
Creates or modifies the following files:
- %WINDIR%\Tasks\At1.job
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\system3_.exe
- <Drive name for removable media>:\New Folder.exe
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Executes the following:
- '<SYSTEM32>\cacls.exe' "C:\system volume information" /e /g "%USERNAME%":f
- '<SYSTEM32>\at.exe' 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\system3_.exe
- '<SYSTEM32>\at.exe' /delete /yes
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '00000001'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- C:\System Volume Information\tracking.log.tmp
- C:\System Volume Information\tracking.log
- <SYSTEM32>\autorun.ini
- <SYSTEM32>\system3_.exe
- %WINDIR%\system3_.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <SYSTEM32>\autorun.ini
- <SYSTEM32>\system3_.exe
Moves the following files:
- from C:\System Volume Information\tracking.log.tmp to C:\System Volume Information\tracking.log
Network activity:
Connects to:
- 'h1.##pway.com':80
TCP:
HTTP GET requests:
- h1.##pway.com/sdb00034/setting.ini
- h1.##pway.com/sdb00033/setting.ini
- h1.##pway.com/sdb00032/setting.ini
- h1.##pway.com/sdb00037/setting.ini
- h1.##pway.com/sdb00036/setting.ini
- h1.##pway.com/sdb00035/setting.ini
- h1.##pway.com/sdb00028/setting.ini
- h1.##pway.com/sdb00027/setting.ini
- h1.##pway.com/sdb00026/setting.ini
- h1.##pway.com/sdb00031/setting.ini
- h1.##pway.com/sdb00030/setting.ini
- h1.##pway.com/sdb00029/setting.ini
- h1.##pway.com/sdb00038/setting.ini
- h1.##pway.com/sdb00047/setting.ini
- h1.##pway.com/sdb00046/setting.ini
- h1.##pway.com/sdb00045/setting.ini
- h1.##pway.com/sdb00050/setting.ini
- h1.##pway.com/sdb00049/setting.ini
- h1.##pway.com/sdb00048/setting.ini
- h1.##pway.com/sdb00041/setting.ini
- h1.##pway.com/sdb00040/setting.ini
- h1.##pway.com/sdb00039/setting.ini
- h1.##pway.com/sdb00044/setting.ini
- h1.##pway.com/sdb00043/setting.ini
- h1.##pway.com/sdb00042/setting.ini
- h1.##pway.com/sdb00025/setting.ini
- h1.##pway.com/sdb00008/setting.ini
- h1.##pway.com/sdb00007/setting.ini
- h1.##pway.com/sdb00006/setting.ini
- h1.##pway.com/sdb00011/setting.ini
- h1.##pway.com/sdb00010/setting.ini
- h1.##pway.com/sdb00009/setting.ini
- h1.##pway.com/sdb00002/setting.ini
- h1.##pway.com/sdb00001/setting.ini
- h1.##pway.com/sdb00000/setting.ini
- h1.##pway.com/sdb00005/setting.ini
- h1.##pway.com/sdb00004/setting.ini
- h1.##pway.com/sdb00003/setting.ini
- h1.##pway.com/sdb00012/setting.ini
- h1.##pway.com/sdb00021/setting.ini
- h1.##pway.com/sdb00020/setting.ini
- h1.##pway.com/sdb00019/setting.ini
- h1.##pway.com/sdb00024/setting.ini
- h1.##pway.com/sdb00023/setting.ini
- h1.##pway.com/sdb00022/setting.ini
- h1.##pway.com/sdb00015/setting.ini
- h1.##pway.com/sdb00014/setting.ini
- h1.##pway.com/sdb00013/setting.ini
- h1.##pway.com/sdb00018/setting.ini
- h1.##pway.com/sdb00017/setting.ini
- h1.##pway.com/sdb00016/setting.ini
UDP:
- DNS ASK h1.##pway.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'
