Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{10E0OBO6-5UX8-70E2-LT0B-TB0NQ1340IX4}] 'StubPath' = '%WINDIR%\spynet\server.exe Restart'
Malicious functions:
Creates and executes the following:
- %WINDIR%\spynet\server.exe
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
- %APPDATA%\logs.dat
- %WINDIR%\spynet\server.exe
- %TEMP%\XX--XX--XX.txt
Sets the 'hidden' attribute to the following files:
- %APPDATA%\logs.dat
Deletes the following files:
- %TEMP%\XxX.xXx
- %TEMP%\UuU.uUu
- %TEMP%\XX--XX--XX.txt
Network activity:
Connects to:
- 'ka####is.no-ip.org':82
UDP:
- DNS ASK ka####is.no-ip.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'shell_traywnd' WindowName: ''