Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\3175313888] 'Name' = '%TEMP%\3.tmp'
Malicious functions:
Creates and executes the following:
- %HOMEPATH%\m.exe
- %HOMEPATH%\l.exe
- %HOMEPATH%\k8NlBz6ce1.exe
Injects code into
the following system processes:
- <SYSTEM32>\spoolsv.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
Modifies file system :
Creates the following files:
- %TEMP%\2.tmp
- %WINDIR%\Temp\5.tmp
- %HOMEPATH%\xuies.exe
- %HOMEPATH%\k8NlBz6ce1.exe
- %HOMEPATH%\l.exe
- %HOMEPATH%\m.exe
Deletes the following files:
- %WINDIR%\Temp\5.tmp
- <DRIVERS>\etc\hosts
- %TEMP%\3.tmp
Network activity:
Connects to:
- 'co##stug.in':80
TCP:
HTTP POST requests:
- co##stug.in/wekdmxx.php?in##############################################################################################################
UDP:
- DNS ASK wi#####iafoundation.org
- DNS ASK co##stug.in
- DNS ASK ig.#om.br
- DNS ASK nb#.com
- '<Private IP address>':1035