Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\msSystem] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%TEMP%\RarSFX0\setup.exe'
Restores hooked functions in System Service Descriptor Table (SSDT).
Hides the following processes:
- <Auxiliary element>
Modifies file system :
Creates the following files:
- %TEMP%\RarSFX0\Setup64.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\baidu[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\getstatus[1].asp
- %TEMP%\RarSFX0\setup.exe
- %TEMP%\RarSFX0\windnsapi.dll
- %TEMP%\RarSFX0\FAT32.dll
- %TEMP%\RarSFX0\FAT32.sys
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\getstatus[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\baidu[1]
Moves the following files:
- from %TEMP%\RarSFX0\FAT32.sys to %TEMP%\MSSYSTEM.DAT
- from %TEMP%\RarSFX0\FAT32.dll to %WINDIR%\system\MSAPI.DRV
Network activity:
Connects to:
- '20#.#6.232.182':80
- '12#.#25.114.144':80
TCP:
HTTP GET requests:
- 20#.#6.232.182/status/getstatus.asp
- 12#.#25.114.144/
UDP:
- DNS ASK www.microsoft.com
- DNS ASK www.ba##u.com
- '20#.#5.80.101':8000
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
