Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Host Font Microsoft Internet Media Shell' = '<SYSTEM32>\ozhdpluhfk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Store Discovery Net.Tcp Tunneling Shell] 'ImagePath' = '<SYSTEM32>\ozhdpluhfk.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Store Discovery Net.Tcp Tunneling Shell] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\ydcwjfuztjx.exe' "<SYSTEM32>\ozhdpluhfk.exe"
- '%WINDIR%\Temp\amxpi74pbgdyktuyy.exe' -r 44149 tcp
- '%TEMP%\amxpi748cp0vrtuyyfxdp0n.exe'
- '<SYSTEM32>\ozhdpluhfk.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\hdlrkteeshgpqm\run
- <SYSTEM32>\hdlrkteeshgpqm\rng
- %WINDIR%\Temp\amxpi74pbgdyktuyy.exe
- <SYSTEM32>\hdlrkteeshgpqm\cfg
- %TEMP%\amxpi748cp0vrtuyyfxdp0n.exe
- <SYSTEM32>\hdlrkteeshgpqm\tst
- <SYSTEM32>\ydcwjfuztjx.exe
- <SYSTEM32>\ozhdpluhfk.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\ydcwjfuztjx.exe
- <SYSTEM32>\ozhdpluhfk.exe
Deletes the following files:
- %WINDIR%\Temp\amxpi74pbgdyktuyy.exe
- %TEMP%\amxpi748cp0vrtuyyfxdp0n.exe
Network activity:
Connects to:
- 'sp###five.net':80
- 'we###ight.ru':80
- 'sp###voice.net':80
- 'sp###eight.net':80
- 'sp###they.net':80
- 'we###hey.net':80
- 'we###ight.net':80
- 'we###ive.net':80
- 'ri###nstorm.net':80
- '18#.#06.120.168':80
- '18#.#17.73.77':80
- 'lo####thepings.ru':80
- 'mu###they.net':80
- 'mu###they.ru':80
- 'we###oice.net':80
TCP:
HTTP GET requests:
- http://sp###five.net/index.php
- http://we###ight.ru/index.php
- http://sp###voice.net/index.php
- http://sp###eight.net/index.php
- http://sp###they.net/index.php
- http://we###hey.net/index.php
- http://we###ight.net/index.php
- http://we###ive.net/index.php
- http://ri###nstorm.net/index.php
- http://18#.#06.120.168/index.php
- http://18#.#17.73.77/index.php
- http://lo####thepings.ru/index.php
- http://mu###they.net/index.php
- http://mu###they.ru/index.php
- http://we###oice.net/index.php
UDP:
- DNS ASK vi###rise.net
- DNS ASK sp###rise.net
- DNS ASK sp###rise.ru
- DNS ASK sp###noise.net
- DNS ASK vi###pull.ru
- DNS ASK vi###pull.net
- DNS ASK vi###noise.net
- DNS ASK sp###pull.net
- DNS ASK vi###fruit.net
- DNS ASK eq###noise.net
- DNS ASK gr###noise.ru
- DNS ASK eq###rise.net
- DNS ASK gr###rise.net
- DNS ASK gr###pull.net
- DNS ASK sp###fruit.net
- DNS ASK gr###noise.net
- DNS ASK eq###pull.net
- DNS ASK wa###fruit.net
- DNS ASK dr###rise.net
- DNS ASK th###ise.net
- DNS ASK th###ruit.ru
- DNS ASK th###ruit.net
- DNS ASK dr###pull.ru
- DNS ASK dr###pull.net
- DNS ASK dr###noise.net
- DNS ASK th###oise.net
- DNS ASK dr###fruit.net
- DNS ASK fa###ise.net
- DNS ASK wa###noise.ru
- DNS ASK fa###ruit.net
- DNS ASK wa###rise.net
- DNS ASK wa###pull.net
- DNS ASK fa###ull.net
- DNS ASK wa###noise.net
- DNS ASK fa###oise.net
- DNS ASK up###ull.net
- DNS ASK wh###pull.net
- DNS ASK up###oise.net
- DNS ASK wh###noise.net
- DNS ASK sa###ruit.net
- DNS ASK sp###ise.net
- DNS ASK sp###ruit.net
- DNS ASK sa###ruit.ru
- DNS ASK up###oise.ru
- DNS ASK so###pull.ru
- DNS ASK so###pull.net
- DNS ASK so###noise.net
- DNS ASK ar###pull.net
- DNS ASK wh###rise.net
- DNS ASK up###ise.net
- DNS ASK up###ruit.net
- DNS ASK wh###fruit.net
- DNS ASK sa###ise.net
- DNS ASK ta###noise.net
- DNS ASK gl###ull.net
- DNS ASK ta###rise.net
- DNS ASK gl###oise.net
- DNS ASK eq###fruit.net
- DNS ASK gr###fruit.net
- DNS ASK ta###pull.net
- DNS ASK eq###fruit.ru
- DNS ASK ta###rise.ru
- DNS ASK sp##pull.ru
- DNS ASK sp###ull.net
- DNS ASK sp###oise.net
- DNS ASK sa###oise.net
- DNS ASK ta###fruit.net
- DNS ASK gl###ise.net
- DNS ASK sa###ull.net
- DNS ASK gl###ruit.net
- DNS ASK th###ull.net
- DNS ASK eq###floor.net
- DNS ASK gr###floor.net
- DNS ASK gr###shade.net
- DNS ASK eq###floor.ru
- DNS ASK sp###cross.net
- DNS ASK vi###cross.ru
- DNS ASK sp###threw.net
- DNS ASK vi###threw.net
- DNS ASK eq###shade.net
- DNS ASK ta###floor.net
- DNS ASK eq###threw.net
- DNS ASK ta###shade.net
- DNS ASK gl###loor.net
- DNS ASK eq###cross.net
- DNS ASK gr###cross.net
- DNS ASK gr###threw.ru
- DNS ASK gr###threw.net
- DNS ASK vi###cross.net
- DNS ASK fa###hade.net
- DNS ASK wa###floor.net
- DNS ASK wa###shade.net
- DNS ASK fa###hade.ru
- DNS ASK th###hrew.net
- DNS ASK dr###cross.ru
- DNS ASK fa###loor.net
- DNS ASK dr###threw.net
- DNS ASK fa###ross.net
- DNS ASK sp###floor.net
- DNS ASK vi###floor.net
- DNS ASK sp###shade.net
- DNS ASK vi###shade.net
- DNS ASK fa###hrew.net
- DNS ASK wa###cross.net
- DNS ASK wa###threw.ru
- DNS ASK wa###threw.net
- DNS ASK wh###threw.net
- DNS ASK up###ross.net
- DNS ASK up###hrew.ru
- DNS ASK up###hrew.net
- DNS ASK up###hade.net
- DNS ASK up###loor.net
- DNS ASK wh###cross.net
- DNS ASK wh###shade.ru
- DNS ASK so###floor.net
- DNS ASK ar###cross.net
- DNS ASK so###cross.ru
- DNS ASK ar###threw.net
- DNS ASK so###threw.net
- DNS ASK so###shade.net
- DNS ASK ar###floor.net
- DNS ASK so###cross.net
- DNS ASK ar###shade.net
- DNS ASK wh###shade.net
- DNS ASK gl###hrew.net
- DNS ASK ta###threw.net
- DNS ASK sa###loor.ru
- DNS ASK sa###loor.net
- DNS ASK gl###hade.ru
- DNS ASK gl###hade.net
- DNS ASK gl###ross.net
- DNS ASK ta###cross.net
- DNS ASK sp###loor.net
- DNS ASK sa###hrew.net
- DNS ASK sp###ross.ru
- DNS ASK wh###floor.net
- DNS ASK sp###hrew.net
- DNS ASK sp###hade.net
- DNS ASK sa###hade.net
- DNS ASK sp###ross.net
- DNS ASK sa###ross.net
- DNS ASK ro###ive.net
- DNS ASK de###ight.net
- DNS ASK de##five.ru
- DNS ASK de###ive.net
- DNS ASK ro##they.ru
- DNS ASK ro###hey.net
- DNS ASK ro###ight.net
- DNS ASK de###hey.net
- DNS ASK ro###oice.net
- DNS ASK se####berfive.net
- DNS ASK jo###hey.net
- DNS ASK jo###ight.net
- DNS ASK ha###ive.net
- DNS ASK jo###oice.net
- DNS ASK de###oice.net
- DNS ASK wi###ight.net
- DNS ASK se####berthey.net
- DNS ASK wr###voice.net
- DNS ASK ha###cene.net
- DNS ASK hu###scene.net
- DNS ASK ha##aunt.ru
- DNS ASK ha###unt.net
- DNS ASK hu###dont.ru
- DNS ASK hu###dont.net
- DNS ASK hu###great.net
- DNS ASK ha###reat.net
- DNS ASK hu###aunt.net
- DNS ASK ma###ive.net
- DNS ASK wr###eight.ru
- DNS ASK ma###oice.net
- DNS ASK wr###five.net
- DNS ASK wr###they.net
- DNS ASK ma###hey.net
- DNS ASK wr###eight.net
- DNS ASK ma###ight.net
- DNS ASK we###hey.net
- DNS ASK sp###they.net
- DNS ASK sp###eight.net
- DNS ASK we###ight.net
- DNS ASK of###eight.net
- DNS ASK of###five.net
- DNS ASK fr###eight.net
- DNS ASK wi###ive.net
- DNS ASK sp###five.net
- DNS ASK we###oice.net
- DNS ASK mu###they.ru
- DNS ASK ri###nstorm.net
- DNS ASK lo####thepings.ru
- DNS ASK sp###voice.net
- DNS ASK we###ight.ru
- DNS ASK mu###they.net
- DNS ASK we###ive.net
- DNS ASK fr###five.net
- DNS ASK se####berfive.ru
- DNS ASK jo###ive.net
- DNS ASK ha###hey.net
- DNS ASK ha###ight.net
- DNS ASK wi###hey.net
- DNS ASK of###they.net
- DNS ASK wi###oice.net
- DNS ASK jo###oice.ru
- DNS ASK ha###oice.net
- DNS ASK of###voice.ru
- DNS ASK fr###voice.net
- DNS ASK fr###they.ru
- DNS ASK of###voice.net
- DNS ASK fr###they.net
- DNS ASK wi###ight.ru
- DNS ASK se####bervoice.net
- DNS ASK se####bereight.net
- DNS ASK ro###unt.net
- DNS ASK de###cene.net
- DNS ASK wi###ont.net
- DNS ASK de###unt.net
- DNS ASK de###reat.net
- DNS ASK ro###reat.net
- DNS ASK ro###cene.ru
- DNS ASK ro###cene.net
- DNS ASK jo###ont.net
- DNS ASK wi##aunt.ru
- DNS ASK jo###cene.net
- DNS ASK jo###unt.net
- DNS ASK se####berdont.net
- DNS ASK wi###reat.net
- DNS ASK jo##dont.ru
- DNS ASK wi###cene.net
- DNS ASK jo###reat.net
- DNS ASK de###ont.net
- DNS ASK ar###fruit.net
- DNS ASK so###fruit.net
- DNS ASK wr###dont.net
- DNS ASK ma###ont.net
- DNS ASK so###rise.net
- DNS ASK ar###noise.net
- DNS ASK ar###rise.ru
- DNS ASK ar###rise.net
- DNS ASK ma###reat.net
- DNS ASK wr###aunt.net
- DNS ASK ma###unt.net
- DNS ASK ro###ont.net
- DNS ASK wr###aunt.ru
- DNS ASK wr###great.net
- DNS ASK ma###reat.ru
- DNS ASK wr###scene.net
- DNS ASK ma###cene.net
- DNS ASK we###unt.net
- DNS ASK sp###aunt.net
- DNS ASK mu###dont.net
- DNS ASK we##aunt.ru
- DNS ASK we###reat.net
- DNS ASK sp###great.ru
- DNS ASK we###cene.net
- DNS ASK sp###scene.net
- DNS ASK ya###ont.net
- DNS ASK mu###aunt.net
- DNS ASK ya###cene.net
- DNS ASK ha###ont.net
- DNS ASK ya###unt.net
- DNS ASK ya###reat.net
- DNS ASK mu###great.net
- DNS ASK mu###scene.ru
- DNS ASK mu###scene.net
- DNS ASK sp###great.net
- DNS ASK of###dont.net
- DNS ASK se####beraunt.net
- DNS ASK fr###dont.net
- DNS ASK of###dont.ru
- DNS ASK ha###reat.ru
- DNS ASK wi###unt.net
- DNS ASK se####berscene.net
- DNS ASK se####bergreat.net
- DNS ASK of###great.net
- DNS ASK fr###aunt.net
- DNS ASK of###aunt.net
- DNS ASK we###ont.net
- DNS ASK sp###dont.net
- DNS ASK of###scene.net
- DNS ASK fr###great.net
- DNS ASK fr###scene.ru
- DNS ASK fr###scene.net
- '23#.#55.255.250':1900
