Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wbem\WMIADAP.EXE' /F /T /R
Modifies file system :
Creates the following files:
- C:\ProgramData\Microsoft\RAC\Temp\sql212.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sql232.tmp
Deletes the following files:
- %WINDIR%\inf\WmiApRpl\0009\WmiApRpl.ini
- %WINDIR%\inf\WmiApRpl\0019\WmiApRpl.ini
- %WINDIR%\inf\WmiApRpl\WmiApRpl.h
- C:\ProgramData\Microsoft\RAC\Temp\sql232.tmp
- C:\ProgramData\Microsoft\RAC\Temp\sql212.tmp
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini