Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,%PROGRAM_FILES%\atxwsjxc\ialxblbg.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\ialxblbg.exe
Modifies master boot record (MBR).
Malicious functions:
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\ctfmon.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\alg.exe
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\csrss.exe
- <SYSTEM32>\smss.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\services.exe
a large number of user processes.
Searches for registry branches where third party applications store passwords:
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKLM>\Software\FlashFXP]
- [<HKCU>\Software\BPFTP]
- [<HKCU>\Software\FlashFXP]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\SOFTWARE\Far2\Plugins\FTP\Hosts]
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far\SavedDialogHistory\FTPHost]
- [<HKCU>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Far2\SavedDialogHistory\FTPHost]
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenKey, handler: pontggaf.sys
- NtCreateKey, handler: pontggaf.sys
Modifies settings of Windows Internet Explorer:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1201' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1201' = '00000000'
Modifies file system :
Creates the following files:
- <LS_APPDATA>\jbpeeimr.log
- %WINDIR%\Temp\7fffffb1
- %TEMP%\~TM4.tmp
- %PROGRAM_FILES%\atxwsjxc\ialxblbg.exe
- %WINDIR%\Temp\6decd52f
- %TEMP%\~TM2.tmp
- %TEMP%\~TM1.tmp
- %TEMP%\pontggaf.sys
- %TEMP%\afkhflgy.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\ialxblbg.exe
Deletes the following files:
- %TEMP%\afkhflgy.exe
- %TEMP%\~TM4.tmp
- %TEMP%\pontggaf.sys
- %TEMP%\~TM1.tmp
- %TEMP%\~TM2.tmp
Network activity:
Connects to:
- 'gv#####sdmjqufbfgdg.com':443
- 'hk###mpjeg.com':443
- 'nt#####fxonbvkqed.com':443
- 'bo###svsvt.com':443
- 'lm####mkmpayyu.com':443
- 'ka#####paanwnuopbj.com':443
- 'yp####matxojboh.com':443
- 'eg###jyeasr.com':443
- 'pl###qjfynt.com':443
- 'uu####xvihatsr.com':443
- 'si####rsxdqmvq.com':443
- 'xe###vlmob.com':443
- 'rh####rmnacbg.com':443
- 'oh####mnlsyjwpp.com':443
- 'tr####kctoktsl.com':443
- 'vw#####rpuurtusi.com':443
- 'my#####nhuxplwifpo.com':443
- 'bj###tlg.com':443
- 'ce###xswsg.com':443
- 'ei####sddpwxl.com':443
- 'dh###btnxja.com':443
- 'wh####fgvpyr.com':443
- 'xw####gjrikdwy.com':443
- 'qa####dglsnraye.com':443
- 'rm####lnycyft.com':443
- 'ru#####qxveivksuvi.com':443
- 'ky###xbydck.com':443
- 'lc####tgdgqoba.com':443
- 'jy###ogwr.com':443
- 'fj####uyyppsei.com':443
- 'la###dbqqr.com':443
- 'jr#####kvhgsiyknhw.com':443
- 'bp###gre.com':443
- 'it####ufaixmin.com':443
- 'mw###rlf.com':443
- 'fa###s-zopa.com':443
- '74.##5.232.51':80
- 'tt#####nivtsybduyb.com':443
- 'cm####kxqgxxtbk.com':443
- 'as####nbyioy.com':443
- 'qw#####kdppgqeha.com':443
- 'hq####mvtush.com':443
- 'ym####nulihl.com':443
- 'af###gwn.com':443
- 'bv###xcfobr.com':443
- 'ys#####bqfkvkojv.com':443
- 'lu###txaymj.com':443
- 'lh#####bwenxtyae.com':443
- 'wa#####ygowhbdfn.com':443
- 'nt###vejb.com':443
- 'fm#####irxxgbupuxq.com':443
- 'fw#####rvkuqjclvy.com':443
- 'cn#####axkredxnk.com':443
UDP:
- DNS ASK dh###btnxja.com
- DNS ASK wh####fgvpyr.com
- DNS ASK xw####gjrikdwy.com
- DNS ASK ru#####qxveivksuvi.com
- DNS ASK ei####sddpwxl.com
- DNS ASK qa####dglsnraye.com
- DNS ASK rm####lnycyft.com
- DNS ASK bo###svsvt.com
- DNS ASK nt#####fxonbvkqed.com
- DNS ASK yp####matxojboh.com
- DNS ASK si####rsxdqmvq.com
- DNS ASK hk###mpjeg.com
- DNS ASK lm####mkmpayyu.com
- DNS ASK ka#####paanwnuopbj.com
- DNS ASK gv#####sdmjqufbfgdg.com
- DNS ASK vw#####rpuurtusi.com
- DNS ASK wp###lsc.com
- DNS ASK md####svdqbxp.com
- DNS ASK ry####ioyrcsu.com
- DNS ASK dl###ung.com
- DNS ASK ov###ngejmo.com
- DNS ASK xm####hkgjiif.com
- DNS ASK ui#####frpoafrpjxd.com
- DNS ASK dj#####rljlrkdqr.com
- DNS ASK ce###xswsg.com
- DNS ASK oh####mnlsyjwpp.com
- DNS ASK tr####kctoktsl.com
- DNS ASK bj###tlg.com
- DNS ASK bo###eqadbm.com
- DNS ASK dd####srdhtprae.com
- DNS ASK my#####nhuxplwifpo.com
- DNS ASK xe###vlmob.com
- DNS ASK bp###gre.com
- DNS ASK lc####tgdgqoba.com
- DNS ASK jy###ogwr.com
- DNS ASK jr#####kvhgsiyknhw.com
- DNS ASK wa#####ygowhbdfn.com
- DNS ASK nt###vejb.com
- DNS ASK la###dbqqr.com
- DNS ASK fj####uyyppsei.com
- DNS ASK mw###rlf.com
- DNS ASK fa###s-zopa.com
- DNS ASK google.com
- DNS ASK as####nbyioy.com
- DNS ASK it####ufaixmin.com
- DNS ASK tt#####nivtsybduyb.com
- DNS ASK cm####kxqgxxtbk.com
- DNS ASK lh#####bwenxtyae.com
- DNS ASK ky###xbydck.com
- DNS ASK af###gwn.com
- DNS ASK bv###xcfobr.com
- DNS ASK uu####xvihatsr.com
- DNS ASK rh####rmnacbg.com
- DNS ASK eg###jyeasr.com
- DNS ASK pl###qjfynt.com
- DNS ASK ys#####bqfkvkojv.com
- DNS ASK fm#####irxxgbupuxq.com
- DNS ASK fw#####rvkuqjclvy.com
- DNS ASK cn#####axkredxnk.com
- DNS ASK lu###txaymj.com
- DNS ASK qw#####kdppgqeha.com
- DNS ASK hq####mvtush.com
- DNS ASK ym####nulihl.com
