Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Yahoo Messenger' = '<SYSTEM32>\Jumoong4.avi.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\Jumoong4.avi.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Creates and executes the following:
- <SYSTEM32>\Jumoong4.avi.exe
- C:\Jumoong4.avi.exe
- <Drive name for removable media>:\Jumoong4.avi.exe
- <SYSTEM32>\Jumoong4.avi.exe -p 5144 -e 124 -g
- C:\Jumoong4.avi.exe -p 5968 -e 52 -g
- C:\Jumoong4.avi.exe -p 5292 -e 100 -g
- C:\Jumoong4.avi.exe -p 5312 -e 100 -g
- C:\Jumoong4.avi.exe /R /T
- C:\Jumoong4.avi.exe -Embedding
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\drwtsn32.exe
a large number of user processes.
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <SYSTEM32>\Jumoong4.avi.exe
- C:\autorun.inf
- C:\Jumoong4.avi.exe
- <SYSTEM32>\wbem\Performance\WmiApRpl_new.h
- <SYSTEM32>\wbem\Performance\WmiApRpl_new.ini
- <SYSTEM32>\PerfStringBackup.TMP
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\Jumoong4.avi.exe
- C:\autorun.inf
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\Jumoong4.avi.exe
Deletes the following files:
- %TEMP%\~DF36AB.tmp
- %TEMP%\~DF2CE9.tmp
- %TEMP%\~DF22E8.tmp
- %TEMP%\~DF7CE4.tmp
- %TEMP%\~DF490A.tmp
- %TEMP%\~DF501B.tmp
- %TEMP%\~DFC109.tmp
- %TEMP%\~DF8BEE.tmp
- %TEMP%\~DF553D.tmp
- %TEMP%\~DF56FC.tmp
- %TEMP%\~DF8097.tmp
- %TEMP%\~DF6D23.tmp
- %TEMP%\~DF6E79.tmp
- %TEMP%\~DF6E4A.tmp
- %TEMP%\~DF4DDF.tmp
- %TEMP%\~DF4D58.tmp
- %TEMP%\~DF340D.tmp
- %TEMP%\~DF3B02.tmp
- %TEMP%\~DF360D.tmp
- %TEMP%\~DFA41C.tmp
- %TEMP%\~DF865C.tmp
- %TEMP%\~DFF634.tmp
- %TEMP%\~DF3CA4.tmp
- %TEMP%\~DF7C32.tmp
- %TEMP%\~DFB8E6.tmp
- %TEMP%\~DFA83B.tmp
- %TEMP%\~DFD4DC.tmp
- %TEMP%\~DFCCA.tmp
- %TEMP%\~DFC32C.tmp
- %TEMP%\~DF874F.tmp
- %TEMP%\~DFDA2A.tmp
- %TEMP%\~DFE035.tmp
- %TEMP%\~DF342F.tmp
- %TEMP%\~DFE755.tmp
- %TEMP%\~DF577F.tmp
- %TEMP%\~DFD4D9.tmp
- %TEMP%\~DF60AD.tmp
- %TEMP%\~DFDAA1.tmp
- %TEMP%\~DF7C2D.tmp
- %TEMP%\~DF9568.tmp
- %TEMP%\~DFF35F.tmp
- %TEMP%\~DF4D8D.tmp
- %TEMP%\~DF2C9B.tmp
- %TEMP%\~DFB225.tmp
- %TEMP%\~DFEB94.tmp
- %TEMP%\~DF9910.tmp
- %TEMP%\~DF46AC.tmp
- %TEMP%\~DFDE73.tmp
- %TEMP%\~DF4B21.tmp
- %TEMP%\~DFF7B3.tmp
- %TEMP%\~DF80AB.tmp
- %TEMP%\~DFDA2F.tmp
- %TEMP%\~DFFDAD.tmp
- %TEMP%\~DFAFBD.tmp
- %TEMP%\~DF3F64.tmp
- %TEMP%\~DF6B4C.tmp
- %TEMP%\~DF6648.tmp
- %TEMP%\~DFBD7A.tmp
- %TEMP%\~DFDB8C.tmp
- %TEMP%\~DF6183.tmp
- %TEMP%\~DF618F.tmp
- %TEMP%\~DF70C6.tmp
- %TEMP%\~DF663E.tmp
- %TEMP%\~DFC5EA.tmp
- %TEMP%\~DFB6C5.tmp
- %TEMP%\~DFA36A.tmp
- %TEMP%\~DFBB68.tmp
- %TEMP%\~DF9A92.tmp
- %TEMP%\~DFAD8B.tmp
- %TEMP%\~DFCEBA.tmp
- %TEMP%\~DFCF28.tmp
- %TEMP%\~DF7838.tmp
- %TEMP%\~DF9362.tmp
- %TEMP%\~DFAE6E.tmp
- %TEMP%\~DFCC99.tmp
- %TEMP%\~DF925A.tmp
- %TEMP%\~DF9365.tmp
- %TEMP%\~DF7908.tmp
- %TEMP%\~DF8FF8.tmp
- %TEMP%\~DF760F.tmp
- %TEMP%\~DF663B.tmp
- %TEMP%\~DFBC2A.tmp
- %TEMP%\~DFC3FB.tmp
- %TEMP%\~DF9464.tmp
- %TEMP%\~DF634.tmp
- %TEMP%\~DFCB67.tmp
- %TEMP%\~DFD771.tmp
- %TEMP%\~DFCAA7.tmp
- %TEMP%\~DFB4FD.tmp
- %TEMP%\~DFA00B.tmp
- %TEMP%\~DFA39E.tmp
- %TEMP%\~DF849C.tmp
- %TEMP%\~DF79D4.tmp
- %TEMP%\~DFD86E.tmp
- %TEMP%\~DF9C5C.tmp
- %TEMP%\~DFA841.tmp
- %TEMP%\~DFB8A9.tmp
- %TEMP%\~DF771E.tmp
- %TEMP%\~DF87C0.tmp
- %TEMP%\~DFD45D.tmp
- %TEMP%\~DF7D81.tmp
- %TEMP%\~DFD7EA.tmp
- %TEMP%\~DF6416.tmp
- %TEMP%\~DFEED6.tmp
- %TEMP%\~DF72BB.tmp
- %TEMP%\~DF9841.tmp
- %TEMP%\~DF8FC0.tmp
- %TEMP%\~DF82C3.tmp
- %TEMP%\~DFA846.tmp
- %TEMP%\~DFB405.tmp
- %TEMP%\~DF1FE3.tmp
- %TEMP%\~DF2A66.tmp
- %TEMP%\~DF54E9.tmp
- %TEMP%\~DF656D.tmp
- <SYSTEM32>\wbem\Performance\WmiApRpl.h
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- <SYSTEM32>\PerfStringBackup.TMP
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'Search Results'
- ClassName: '' WindowName: 'User Accounts'
- ClassName: '' WindowName: 'System Restore'
- ClassName: '' WindowName: 'My Computer'
- ClassName: '' WindowName: 'Copying...'
- ClassName: '' WindowName: 'Moving...'
- ClassName: '' WindowName: 'System32'
- ClassName: '' WindowName: 'WINDOWS'
- ClassName: '' WindowName: 'Media'
- ClassName: '' WindowName: 'Run'
- ClassName: '' WindowName: 'Antivirus'
- ClassName: '' WindowName: 'Anti viru'
- ClassName: '' WindowName: 'Windows Task Manager'
- ClassName: '' WindowName: 'Control Panel'
- ClassName: '' WindowName: 'Registry Editor'
- ClassName: '' WindowName: 'System Configuration Utility'
- ClassName: '' WindowName: 'Folder Option'
- ClassName: '' WindowName: 'Setup'
- ClassName: '' WindowName: 'Kaspersky Anti-Virus 2009'
- ClassName: '' WindowName: 'ESET NOD32 Antivirus Setup'
- ClassName: '' WindowName: 'avast! Antivirus Setup'
- ClassName: '' WindowName: 'Panda Global Protection 2009 Setup'
- ClassName: 'Shell_TrayWnd' WindowName: ''