Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\1091981584] 'Name' = '"%TEMP%\srvAE4.tmp"'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\srvAE4] 'Start' = '00000002'
Malicious functions:
Injects code into
the following system processes:
- <SYSTEM32>\spoolsv.exe
Modifies file system :
Creates the following files:
- %WINDIR%\Temp\1.tmp
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\wpad[1].dat
- %TEMP%\srvAE4.tmp
- %TEMP%\srvAE4.ini
Sets the 'hidden' attribute to the following files:
- %TEMP%\srvAE4.tmp
Network activity:
Connects to:
- 'wpad.localdomain':80
- '18#.#38.48.178':80
TCP:
HTTP GET requests:
- wpad.localdomain/wpad.dat
- 18#.#38.48.178/service/listener.php?af#########
- 18#.#38.48.178//srv
UDP:
- DNS ASK wpad.localdomain