Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\msupd.exe'
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\Yahoo\pager]
Modifies file system :
Creates the following files:
- %TEMP%\res.ico2
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\index[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\index[1].php
- %TEMP%\res.ico
- %TEMP%\aut1.tmp
- %TEMP%\msupd.exe
- %TEMP%\aut2.tmp
Deletes the following files:
- %TEMP%\aut2.tmp
- %TEMP%\aut1.tmp
Network activity:
Connects to:
- 'fr####x.comlu.com':80
- 'localhost':1035
TCP:
HTTP GET requests:
- fr####x.comlu.com/index.php?ac#####################################################################################################
- fr####x.comlu.com/index.php?ac##############################################
UDP:
- DNS ASK fr####x.comlu.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
