Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\.scr] '' = '<SYSTEM32>'
- [<HKLM>\SOFTWARE\Classes\.scr\shell\open\command] '' = '<SYSTEM32>'
- [<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>\Win32Run.exe %1'
- [<HKLM>\SOFTWARE\Classes\.scr] '' = '<SYSTEM32>\Win32Run.exe %1'
- [<HKLM>\SOFTWARE\Classes\.scr\shell\open\command] '' = '<SYSTEM32>\Win32Run.exe %1'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6331905' = '<SYSTEM32>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6331905' = '<SYSTEM32>\Win32Run.exe'
- [<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = 'c:\1.exe %1'
- [<HKLM>\SOFTWARE\Classes\exefile\shell\open\command] '' = '<SYSTEM32>'
- [<HKLM>\SOFTWARE\Classes\txtfile\shell\open\command] '' = 'C:\1.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\Win32Run.exe
Malicious functions:
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Registry Editor (RegEdit)
Creates and executes the following:
- '<SYSTEM32>\Win32Run.exe' <SYSTEM32>\ichelper.exe
- '<SYSTEM32>\Win32Run.exe' <Current directory>\ichelper.exe
Executes the following:
- '<SYSTEM32>\ntvdm.exe' -f -i16
- '<SYSTEM32>\ntvdm.exe' -f -i15
- '<SYSTEM32>\ntvdm.exe' -f -i18
- '<SYSTEM32>\ntvdm.exe' -f -i17
- '<SYSTEM32>\ntvdm.exe' -f -i12
- '<SYSTEM32>\ntvdm.exe' -f -i11
- '<SYSTEM32>\ntvdm.exe' -f -i14
- '<SYSTEM32>\ntvdm.exe' -f -i13
- '<SYSTEM32>\ntvdm.exe' -f -i1e
- '<SYSTEM32>\ntvdm.exe' -f -i1d
- '<SYSTEM32>\ntvdm.exe' -f -i20
- '<SYSTEM32>\ntvdm.exe' -f -i1f
- '<SYSTEM32>\ntvdm.exe' -f -i1a
- '<SYSTEM32>\ntvdm.exe' -f -i19
- '<SYSTEM32>\ntvdm.exe' -f -i1c
- '<SYSTEM32>\ntvdm.exe' -f -i1b
- '<SYSTEM32>\ntvdm.exe' -f -i10
- '<SYSTEM32>\ntvdm.exe' -f -i5
- '<SYSTEM32>\ntvdm.exe' -f -i4
- '<SYSTEM32>\ntvdm.exe' -f -i7
- '<SYSTEM32>\ntvdm.exe' -f -i6
- '<SYSTEM32>\ntvdm.exe' -f -i1
- '%WINDIR%\explorer.exe'
- '<SYSTEM32>\ntvdm.exe' -f -i3
- '<SYSTEM32>\ntvdm.exe' -f -i2
- '<SYSTEM32>\ntvdm.exe' -f -id
- '<SYSTEM32>\ntvdm.exe' -f -ic
- '<SYSTEM32>\ntvdm.exe' -f -if
- '<SYSTEM32>\ntvdm.exe' -f -ie
- '<SYSTEM32>\ntvdm.exe' -f -i9
- '<SYSTEM32>\ntvdm.exe' -f -i8
- '<SYSTEM32>\ntvdm.exe' -f -ib
- '<SYSTEM32>\ntvdm.exe' -f -ia
Injects code into
the following user processes:
- NAVAPW32.EXE
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\Explorer.EXE
the following user processes:
- bdss.exe
- 360tray.exe
- NAVAPW32.EXE
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %WINDIR%\Temp\scs22.tmp
- %WINDIR%\Temp\scs23.tmp
- %WINDIR%\Temp\scs20.tmp
- %WINDIR%\Temp\scs21.tmp
- %WINDIR%\Temp\scs26.tmp
- %WINDIR%\Temp\scs27.tmp
- %WINDIR%\Temp\scs24.tmp
- %WINDIR%\Temp\scs25.tmp
- %WINDIR%\Temp\scs1F.tmp
- %WINDIR%\Temp\scs19.tmp
- %WINDIR%\Temp\scs1A.tmp
- %WINDIR%\Temp\scs17.tmp
- %WINDIR%\Temp\scs18.tmp
- %WINDIR%\Temp\scs1D.tmp
- %WINDIR%\Temp\scs1E.tmp
- %WINDIR%\Temp\scs1B.tmp
- %WINDIR%\Temp\scs1C.tmp
- %WINDIR%\Temp\scs33.tmp
- %WINDIR%\Temp\scs34.tmp
- %WINDIR%\Temp\scs31.tmp
- %WINDIR%\Temp\scs32.tmp
- %WINDIR%\Temp\scs37.tmp
- %WINDIR%\Temp\scs38.tmp
- %WINDIR%\Temp\scs35.tmp
- %WINDIR%\Temp\scs36.tmp
- %WINDIR%\Temp\scs30.tmp
- %WINDIR%\Temp\scs2A.tmp
- %WINDIR%\Temp\scs2B.tmp
- %WINDIR%\Temp\scs28.tmp
- %WINDIR%\Temp\scs29.tmp
- %WINDIR%\Temp\scs2E.tmp
- %WINDIR%\Temp\scs2F.tmp
- %WINDIR%\Temp\scs2C.tmp
- %WINDIR%\Temp\scs2D.tmp
- <SYSTEM32>\Autorun.inf
- %WINDIR%\Temp\scs2.tmp
- C:\Autorun.inf
- <SYSTEM32>\ichelper.exe
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs3.tmp
- C:\Win32Run.exe
- <Current directory>\Autorun.inf
- <Current directory>\hook.dll
- <Current directory>\ichelper.exe
- <SYSTEM32>\hook.dll
- <SYSTEM32>\COMCT232.OCX
- <Current directory>\COMCT232.OCX
- <SYSTEM32>\Win32Run.exe
- %WINDIR%\Temp\scs11.tmp
- %WINDIR%\Temp\scs12.tmp
- %WINDIR%\Temp\scs10.tmp
- %WINDIR%\Temp\scsF.tmp
- %WINDIR%\Temp\scs15.tmp
- %WINDIR%\Temp\scs16.tmp
- %WINDIR%\Temp\scs14.tmp
- %WINDIR%\Temp\scs13.tmp
- %WINDIR%\Temp\scsE.tmp
- %WINDIR%\Temp\scs8.tmp
- %WINDIR%\Temp\scs9.tmp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scsC.tmp
- %WINDIR%\Temp\scsD.tmp
- %WINDIR%\Temp\scsA.tmp
- %WINDIR%\Temp\scsB.tmp
Deletes the following files:
- %WINDIR%\Temp\scs23.tmp
- %WINDIR%\Temp\scs1F.tmp
- %WINDIR%\Temp\scs24.tmp
- %WINDIR%\Temp\scs26.tmp
- %WINDIR%\Temp\scs29.tmp
- %WINDIR%\Temp\scs25.tmp
- %WINDIR%\Temp\scs20.tmp
- %WINDIR%\Temp\scs1D.tmp
- %WINDIR%\Temp\scs1C.tmp
- %WINDIR%\Temp\scs19.tmp
- %WINDIR%\Temp\scs22.tmp
- %WINDIR%\Temp\scs1E.tmp
- %WINDIR%\Temp\scs21.tmp
- %WINDIR%\Temp\scs32.tmp
- %WINDIR%\Temp\scs2F.tmp
- %WINDIR%\Temp\scs2D.tmp
- %WINDIR%\Temp\scs33.tmp
- %WINDIR%\Temp\scs31.tmp
- %WINDIR%\Temp\scs34.tmp
- %WINDIR%\Temp\scs30.tmp
- %WINDIR%\Temp\scs2B.tmp
- %WINDIR%\Temp\scs27.tmp
- %WINDIR%\Temp\scs2A.tmp
- %WINDIR%\Temp\scs2E.tmp
- %WINDIR%\Temp\scs2C.tmp
- %WINDIR%\Temp\scs28.tmp
- %WINDIR%\Temp\scsB.tmp
- %WINDIR%\Temp\scsA.tmp
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scsE.tmp
- %WINDIR%\Temp\scsC.tmp
- %WINDIR%\Temp\scs9.tmp
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs1.tmp
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs2.tmp
- %WINDIR%\Temp\scs8.tmp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scs15.tmp
- %WINDIR%\Temp\scs17.tmp
- %WINDIR%\Temp\scs16.tmp
- %WINDIR%\Temp\scs1B.tmp
- %WINDIR%\Temp\scs1A.tmp
- %WINDIR%\Temp\scs18.tmp
- %WINDIR%\Temp\scs13.tmp
- %WINDIR%\Temp\scs10.tmp
- %WINDIR%\Temp\scsD.tmp
- %WINDIR%\Temp\scsF.tmp
- %WINDIR%\Temp\scs12.tmp
- %WINDIR%\Temp\scs14.tmp
- %WINDIR%\Temp\scs11.tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d88.c60.4a0017'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c84.c88.490016'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c64.cec.4c0019'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-d44.df0.4b0018'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b04.ae8.480015'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-638.594.450012'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-70c.700.440011'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a14.bb8.470014'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-72c.b98.460013'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-c18.c28.4d001a'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1064.1074.540021'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1060.1070.530020'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-10a0.10a4.560023'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1080.1084.550022'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1054.105c.52001f'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ec0.d68.4f001c'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bbc.e1c.4e001b'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1030.1034.51001e'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-1028.102c.50001d'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-98c.964.390002'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-980.968.380001'
- ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
- ClassName: 'Proxy Desktop' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: 'BaseBar' WindowName: 'ChanApp'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-568.9d0.3a0007'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ac8.adc.41000e'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-ab8.acc.40000d'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-690.a54.430010'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-6bc.6b8.42000f'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a84.a80.3f000c'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-5ec.a34.3c0009'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-9e0.9e4.3b0008'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a6c.a68.3e000b'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-a38.a3c.3d000a'