Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Media File AutoConnect Workstation SNMP' = '<SYSTEM32>\lxfmsshcvi.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Program Update Disk Location] 'ImagePath' = '<SYSTEM32>\lxfmsshcvi.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Program Update Disk Location] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\ssukllpgbd.exe' "<SYSTEM32>\lxfmsshcvi.exe"
- '%WINDIR%\Temp\vlg3dzjx30sodi.exe' -r 46035 tcp
- '%TEMP%\vlg3dzjx2w6fdiy2hjtr8.exe'
- '<SYSTEM32>\lxfmsshcvi.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\ncxjaeodszaxmsp\run
- <SYSTEM32>\ncxjaeodszaxmsp\rng
- %WINDIR%\Temp\vlg3dzjx30sodi.exe
- <SYSTEM32>\ncxjaeodszaxmsp\cfg
- <SYSTEM32>\ssukllpgbd.exe
- %TEMP%\vlg3dzjx2w6fdiy2hjtr8.exe
- <SYSTEM32>\ncxjaeodszaxmsp\tst
- <SYSTEM32>\lxfmsshcvi.exe
- <SYSTEM32>\ncxjaeodszaxmsp\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\ssukllpgbd.exe
- <SYSTEM32>\lxfmsshcvi.exe
Deletes the following files:
- %WINDIR%\Temp\vlg3dzjx30sodi.exe
- <DRIVERS>\etc\hosts
- %TEMP%\vlg3dzjx2w6fdiy2hjtr8.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'lr###word.net':80
- 'vi###ord.net':80
- 'vi###ouch.net':80
- 'vi###gree.net':80
- 'lr###touch.net':80
- 'fi###gree.net':80
- 'pl###touch.net':80
- 'pl###agree.net':80
- 'pl###form.net':80
- 'fi###orm.net':80
- 'lr###agree.net':80
- 'yo###gree.net':80
- 'tr###touch.net':80
- 'tr###agree.net':80
- 'tr###form.net':80
- 'yo###orm.net':80
- 'lr###form.net':80
- 'vi###orm.net':80
- 'yo###ord.net':80
- 'yo###ouch.net':80
- 'tr###word.net':80
- 'fa###gree.net':80
- 'to###ouch.net':80
- 'to###gree.net':80
- 'to###orm.net':80
- 'fa###orm.net':80
- 'we###orm.net':80
- 've###orm.net':80
- 'fa###ord.net':80
- 'fa###ouch.net':80
- 'to###ord.net':80
- 'le###word.net':80
- 'se###form.net':80
- 'le###form.net':80
- 'fi###ord.net':80
- 'fi###ouch.net':80
- 'pl###word.net':80
- 'le###touch.net':80
- 'se###word.net':80
- 'se###touch.net':80
- 'se###agree.net':80
- 'le###agree.net':80
- 'to###rown.net':80
- 'fa###rown.net':80
- 'fa###lain.net':80
- 'fa###tep.net':80
- 'to###lain.net':80
- 've###tep.net':80
- 'we###lain.net':80
- 'we###tep.net':80
- 'to###lack.net':80
- 'fa###lack.net':80
- 'to###tep.net':80
- 'de###lxc.com':80
- 'se###plain.net':80
- 'be##lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'se###black.net':80
- 'le###black.net':80
- 'le###grown.net':80
- 'le###plain.net':80
- 'se###grown.net':80
- 'ta###tep.net':80
- 'wa###lain.net':80
- 'wa###tep.net':80
- 'pi###black.net':80
- 'mu###lack.net':80
- 'wa###lack.net':80
- 'ta###lack.net':80
- 'ta###rown.net':80
- 'ta###lain.net':80
- 'wa###rown.net':80
- 'mu###rown.net':80
- 'we###lack.net':80
- 've###lack.net':80
- 've###rown.net':80
- 've###lain.net':80
- 'we###rown.net':80
- 'mu###lain.net':80
- 'pi###grown.net':80
- 'pi###plain.net':80
- 'pi###step.net':80
- 'mu###tep.net':80
TCP:
HTTP GET requests:
- http://lr###word.net/index.php
- http://vi###ord.net/index.php
- http://vi###ouch.net/index.php
- http://vi###gree.net/index.php
- http://lr###touch.net/index.php
- http://fi###gree.net/index.php
- http://pl###touch.net/index.php
- http://pl###agree.net/index.php
- http://pl###form.net/index.php
- http://fi###orm.net/index.php
- http://lr###agree.net/index.php
- http://yo###gree.net/index.php
- http://tr###touch.net/index.php
- http://tr###agree.net/index.php
- http://tr###form.net/index.php
- http://yo###orm.net/index.php
- http://lr###form.net/index.php
- http://vi###orm.net/index.php
- http://yo###ord.net/index.php
- http://yo###ouch.net/index.php
- http://tr###word.net/index.php
- http://fa###gree.net/index.php
- http://to###ouch.net/index.php
- http://to###gree.net/index.php
- http://to###orm.net/index.php
- http://fa###orm.net/index.php
- http://we###orm.net/index.php
- http://ve###orm.net/index.php
- http://fa###ord.net/index.php
- http://fa###ouch.net/index.php
- http://to###ord.net/index.php
- http://le###word.net/index.php
- http://se###form.net/index.php
- http://le###form.net/index.php
- http://fi###ord.net/index.php
- http://fi###ouch.net/index.php
- http://pl###word.net/index.php
- http://le###touch.net/index.php
- http://se###word.net/index.php
- http://se###touch.net/index.php
- http://se###agree.net/index.php
- http://le###agree.net/index.php
- http://to###rown.net/index.php
- http://fa###rown.net/index.php
- http://fa###lain.net/index.php
- http://fa###tep.net/index.php
- http://to###lain.net/index.php
- http://ve###tep.net/index.php
- http://we###lain.net/index.php
- http://we###tep.net/index.php
- http://to###lack.net/index.php
- http://fa###lack.net/index.php
- http://to###tep.net/index.php
- http://de###lxc.com/index.php
- http://se###plain.net/index.php
- http://be##lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://se###black.net/index.php
- http://le###black.net/index.php
- http://le###grown.net/index.php
- http://le###plain.net/index.php
- http://se###grown.net/index.php
- http://ta###tep.net/index.php
- http://wa###lain.net/index.php
- http://wa###tep.net/index.php
- http://pi###black.net/index.php
- http://mu###lack.net/index.php
- http://wa###lack.net/index.php
- http://ta###lack.net/index.php
- http://ta###rown.net/index.php
- http://ta###lain.net/index.php
- http://wa###rown.net/index.php
- http://mu###rown.net/index.php
- http://we###lack.net/index.php
- http://ve###lack.net/index.php
- http://ve###rown.net/index.php
- http://ve###lain.net/index.php
- http://we###rown.net/index.php
- http://mu###lain.net/index.php
- http://pi###grown.net/index.php
- http://pi###plain.net/index.php
- http://pi###step.net/index.php
- http://mu###tep.net/index.php
UDP:
- DNS ASK lr###word.net
- DNS ASK vi###ord.net
- DNS ASK vi###ouch.net
- DNS ASK vi###gree.net
- DNS ASK lr###touch.net
- DNS ASK fi###gree.net
- DNS ASK pl###touch.net
- DNS ASK pl###agree.net
- DNS ASK pl###form.net
- DNS ASK fi###orm.net
- DNS ASK lr###agree.net
- DNS ASK yo###gree.net
- DNS ASK tr###touch.net
- DNS ASK tr###agree.net
- DNS ASK tr###form.net
- DNS ASK yo###orm.net
- DNS ASK lr###form.net
- DNS ASK vi###orm.net
- DNS ASK yo###ord.net
- DNS ASK yo###ouch.net
- DNS ASK tr###word.net
- DNS ASK fi###ouch.net
- DNS ASK to###ouch.net
- DNS ASK fa###ouch.net
- DNS ASK fa###gree.net
- DNS ASK fa###orm.net
- DNS ASK to###gree.net
- DNS ASK ve###orm.net
- DNS ASK we###gree.net
- DNS ASK we###orm.net
- DNS ASK to###ord.net
- DNS ASK fa###ord.net
- DNS ASK to###orm.net
- DNS ASK le###form.net
- DNS ASK se###agree.net
- DNS ASK se###form.net
- DNS ASK pl###word.net
- DNS ASK fi###ord.net
- DNS ASK se###word.net
- DNS ASK le###word.net
- DNS ASK le###touch.net
- DNS ASK le###agree.net
- DNS ASK se###touch.net
- DNS ASK to###rown.net
- DNS ASK fa###rown.net
- DNS ASK fa###lain.net
- DNS ASK fa###tep.net
- DNS ASK to###lain.net
- DNS ASK ve###tep.net
- DNS ASK we###lain.net
- DNS ASK we###tep.net
- DNS ASK to###lack.net
- DNS ASK fa###lack.net
- DNS ASK to###tep.net
- DNS ASK de###lxc.com
- DNS ASK se###plain.net
- DNS ASK be##lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK se###black.net
- DNS ASK le###black.net
- DNS ASK le###grown.net
- DNS ASK le###plain.net
- DNS ASK se###grown.net
- DNS ASK ta###tep.net
- DNS ASK wa###lain.net
- DNS ASK wa###tep.net
- DNS ASK pi###black.net
- DNS ASK mu###lack.net
- DNS ASK wa###lack.net
- DNS ASK ta###lack.net
- DNS ASK ta###rown.net
- DNS ASK ta###lain.net
- DNS ASK wa###rown.net
- DNS ASK mu###rown.net
- DNS ASK we###lack.net
- DNS ASK ve###lack.net
- DNS ASK ve###rown.net
- DNS ASK ve###lain.net
- DNS ASK we###rown.net
- DNS ASK mu###lain.net
- DNS ASK pi###grown.net
- DNS ASK pi###plain.net
- DNS ASK pi###step.net
- DNS ASK mu###tep.net
- '23#.#55.255.250':1900