Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogin' = '%WINDIR%\winlogin.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\photos.exe
Malicious functions:
Creates and executes the following:
- %WINDIR%\winlogin.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\pochta[1].php
- %WINDIR%\winlogin.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\autorun.exe
Network activity:
Connects to:
- 'ne##ns.biz':80
- 'localhost':1036
TCP:
HTTP GET requests:
- ne##ns.biz/pochta.php
UDP:
- DNS ASK ne##ns.biz
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''