Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 "%TEMP%\IXP000.TMP\"'
Creates the following files on removable media:
- <Drive name for removable media>:\xscli.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- <Auxiliary element>
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\IXP000.TMP\BIFROS~1.EXE' = '%TEMP%\IXP000.TMP\BIFROS~1.EXE:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks the following features:
- User Account Control (UAC)
Creates and executes the following:
- %TEMP%\IXP000.TMP\BIFROS~1.EXE
Executes the following:
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen c:\53f4bf4db250be0c5ef37206815edda5.jpg
Injects code into
the following system processes:
- <SYSTEM32>\cscript.exe
a large number of user processes.
Modifies file system :
Creates the following files:
- C:\53f4bf4db250be0c5ef37206815edda5.jpg
- C:\Raccourci vers server.lnk
- %TEMP%\winksew.exe
- %TEMP%\0001C33B_Rar\BIFROS~1.EXE
- %TEMP%\IXP000.TMP\BIFROS~1.EXE
- %TEMP%\0001B6F7_Rar\BIFROS~1.EXE
- %TEMP%\0001BF53_Rar\BIFROS~1.EXE
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\xscli.exe
- <Drive name for removable media>:\autorun.inf
Deletes the following files:
- %TEMP%\IXP000.TMP\BIFROS~1.EXE
- %TEMP%\winksew.exe
- %TEMP%\0001B6F7_Rar\BIFROS~1.EXE
Miscellaneous:
Searches for the following windows:
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''