Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Taskman' = '%HOMEPATH%\aegvvp.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %HOMEPATH%\aegvvp.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\aegvvp.exe
Network activity:
UDP:
- DNS ASK mu###.###tal-protection.net.ru
- DNS ASK sl###.##fehousenumber.com
- 'mu###.###tal-protection.net.ru':41801
- 'sl###.##fehousenumber.com':41801
Miscellaneous:
Searches for the following windows:
- ClassName: 'Jkbkro Samkksxg Y' WindowName: 'Jserhg Dqqgcl Udi'
- ClassName: 'Nvni. Muhqua Sqtfj' WindowName: 'Bhweqgc Wwoapx Kyry'
- ClassName: 'Ndenqqj. Qpcyd. J' WindowName: 'Ksdnvms Qlcr Ybhxgh'
- ClassName: 'Voyyepavyn' WindowName: 'Enrlwhxy Ppur Stdf, Xeaox'
- ClassName: 'Xeaox, Voyyepavyn' WindowName: 'Enrlwhxy Ppur Stdf'
- ClassName: 'Ywdaph Ogj' WindowName: 'Ykrxtea Roeac, U, Gmvvmp'
- ClassName: 'Yocpvm L' WindowName: 'Bbckj Ducvku Ah, Ydmnwtu'
- ClassName: 'Ydmnwtu, Yocpvm L' WindowName: 'Bbckj Ducvku Ah'
- ClassName: 'Wdck Lditf. Udpsr' WindowName: 'Cnjkvkbcr Wuydd'
- ClassName: 'Gmvvmp, Ywdaph Ogj' WindowName: 'Ykrxtea Roeac, U'
- ClassName: 'Dtn. Jblaoxj Hgp' WindowName: 'Xosu Idwcl, Glbdj X'
- ClassName: 'Rprlo Fgklbs Op' WindowName: 'Gecrwm Skh, Cyyy'
- ClassName: 'La' WindowName: 'Qjfnng Atdw Rctd, Rbvgov Xapq'
- ClassName: 'Wojsmi Mg. Cxxxfj' WindowName: 'Qvlki Vrvs, Lyukwn'
- ClassName: 'Xgspx Fteqhg Qqrlkn' WindowName: 'Tecb, Dyfkml Ojyo C'
- ClassName: 'Hhapno Lfysynxs Rd' WindowName: 'Xxygaxk Lcbxu Iv'
- ClassName: 'Rbvgov Xapq, La' WindowName: 'Qjfnng Atdw Rctd'
- ClassName: 'Hqnyfwrw Fhovx Ugt' WindowName: 'Pyfqsow Jlhcti. Xym'
- ClassName: 'Glbeqxnvqw Hkfqkv E' WindowName: 'Jpcc Ymgnj Gjwcqb'
- ClassName: 'Uvhvqxrj Xs, Xwxvx' WindowName: 'Koofdwsv Dewbqupa F'
- ClassName: 'Epsx. Dnwr. Rbitc' WindowName: 'Ccdoosar, Rbrqw, Dv'
- ClassName: 'Xwxvx' WindowName: 'Koofdwsv Dewbqupa F, Uvhvqxrj Xs'
- ClassName: 'Ffptn, Qoext. Bam' WindowName: 'Jxfdxl, Nmrlyc. C'
- ClassName: 'Fpyo Ytwqaup Cnkg' WindowName: 'Enst. Vtfgp Acfgmbt'
- ClassName: 'Qoext. Bam' WindowName: 'Jxfdxl, Nmrlyc. C, Ffptn'
- ClassName: 'Iaf. Nwujr Gkgyy' WindowName: 'Jjpvs, Ekggfpy Cbd'
- ClassName: 'Jfnxyolan Uvpa. Bgv' WindowName: 'Sop, Pyumn. Kat. Ns'
- ClassName: 'Ghsugi' WindowName: 'Aonxg Lxkyh Pxiit, Kiawpyfxlhh'
- ClassName: 'Dxkxopnt Obvw. Fah' WindowName: 'Auarck. Rtdifb Lh'
- ClassName: 'Wgpgxwcx. Wuprup. A' WindowName: 'Otolsafvi Kgcm Pby'
- ClassName: 'Pyxd Gnbkm Kr. Eat' WindowName: 'Cuxtfueq Kylbvk'
- ClassName: 'Kiawpyfxlhh, Ghsugi' WindowName: 'Aonxg Lxkyh Pxiit'
- ClassName: 'Yrgjk. Euxodmdk Wed' WindowName: 'Rttbcqlgegj Rfhqjjs'
- ClassName: 'Yojaupc Wytl Vdbta' WindowName: 'Llpsq, Ineo, Wjk'
- ClassName: 'Uepjpkk. Kwksxq Ngq' WindowName: 'Yfsm Mjfmal, Gm'
- ClassName: 'Gtuad Nqce Lk. Stmk' WindowName: 'Koqtjp Topt Mgqw'
- ClassName: 'Klssqsv' WindowName: 'Wcqiy, Rmbbe Gm, Lqashs'
- ClassName: 'Lqashs, Klssqsv' WindowName: 'Wcqiy, Rmbbe Gm'
- ClassName: 'Aowtfjlp' WindowName: 'Xhonato Bcim. Fo, Qukrsfk'
- ClassName: 'Ujmlaf Sbhihw. H' WindowName: 'Lijgdsmay Akoel. O'
- ClassName: 'Mvwcxj Srer. Tmoqs' WindowName: 'Lonpc, Oblipghbg'
- ClassName: 'Qpftpx. Xlukrem' WindowName: 'Ipka Qydcq Xexy'
- ClassName: 'Qukrsfk, Aowtfjlp' WindowName: 'Xhonato Bcim. Fo'
- ClassName: 'Tukqi. Yfdxl. Erb' WindowName: 'Mmmt. Exethalgb'
