Technical Information
Malicious functions:
Creates and executes the following:
- %WINDIR%\disk4.exe (downloaded from the Internet)
- %WINDIR%\disk5.exe (downloaded from the Internet)
- %WINDIR%\disk3.exe (downloaded from the Internet)
- %WINDIR%\disk1.exe (downloaded from the Internet)
- %WINDIR%\disk2.exe (downloaded from the Internet)
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\kwmusic_msnassistant[1].exe
- %WINDIR%\disk3.exe
- %WINDIR%\disk4.exe
- %WINDIR%\disk5.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\wl0419152[1].exe
- %WINDIR%\disk1.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\zz623[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\t086[1].wko
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\coopen_setup_100180[1].exe
- %WINDIR%\disk2.exe
Network activity:
Connects to:
- 'do####ad.coopen.cn':80
- 'do##.kuwo.cn':80
- 'do##.emoney.cn':80
- 'localhost':1034
- 'd.###sanguo.com':80
- 'www.xu###i100.com':80
TCP:
HTTP GET requests:
- do##.kuwo.cn/mbox/kwmusic_msnassistant.exe
- do##.emoney.cn/wl0419152.exe
- do####ad.coopen.cn/setup/v5/coopen_setup_100180.exe
- d.###sanguo.com/623/zz623.exe
- www.xu###i100.com/msn/software/partner/dwq0617/t086.wko
UDP:
- DNS ASK do####ad.coopen.cn
- DNS ASK do##.kuwo.cn
- DNS ASK do##.emoney.cn
- DNS ASK d.###sanguo.com
- DNS ASK www.xu###i100.com
- '<Private IP address>':1035