Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '<Virus name>' = '<Full path to virus>'
Malicious functions:
Creates and executes the following:
- '<Current directory>\ConfigUpdate.exe'
- '<Current directory>\ConfigUpdate.exe' (downloaded from the Internet)
Modifies file system :
Creates the following files:
- <Current directory>\ConfigUpdate.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\partner[1]
- %HOMEPATH%\Desktop\»гС¶±¦КµК±ЧКС¶.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ConfigUpdate[1].txt
Network activity:
Connects to:
- 'zi###.fx678.com':80
- 'zi###.fx678.com':6000
- 'localhost':1036
- 'do##.fx678.com':80
TCP:
HTTP GET requests:
- zi###.fx678.com/partner
- do##.fx678.com/version/yhtnews/ConfigUpdate.txt
UDP:
- DNS ASK zi###.fx678.com
- DNS ASK do##.fx678.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'