Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] '' = '"<LS_APPDATA>\alg.exe" -a "%PROGRAM_FILES%\Internet Explorer\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '3884546211' = '<LS_APPDATA>\alg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon.exe' = '<SYSTEM32>\ctfmon.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- <LS_APPDATA>\alg.exe -gav <Full path to virus>
Terminates or attempts to terminate
the following user processes:
- chrome.exe
- opera.exe
- iexplore.exe
- firefox.exe
Modifies file system :
Creates the following files:
- %TEMP%\2b5b7a8402270or81h886v5fh54frq57h1s2u1v
- %HOMEPATH%\Templates\2b5b7a8402270or81h886v5fh54frq57h1s2u1v
- %ALLUSERSPROFILE%\Application Data\2b5b7a8402270or81h886v5fh54frq57h1s2u1v
- <LS_APPDATA>\alg.exe
- <LS_APPDATA>\2b5b7a8402270or81h886v5fh54frq57h1s2u1v
Deletes itself.
Network activity:
Connects to:
- 'wi###ypihag.com':80
- 'ci####cuqekexo.com':80
- 'si####qilugoq.com':80
- 'fo####wupode.com':80
- 'wa####qohuli.com':80
- 'le###ehup.com':80
- 'jy####fyhulora.com':80
- 'he###yheduf.com':80
- 'sy####lurypugi.com':80
- 'su###ebaq.com':80
- 'xi####xegybozi.com':80
- 'ci####rijugeg.com':80
- 'bi####qojivu.com':80
- 'ho####mitajy.com':80
- 'le####vasezo.com':80
- 'zy####wodojyx.com':80
- 'mo####xazyby.com':80
- 'gi###eceta.com':80
- 'ra####bareme.com':80
- 'ti###uqel.com':80
- 'ba####naxepo.com':80
- 'qo###ifelaw.com':80
- 'pa####kavygaj.com':80
- 'za####tahuryp.com':80
- 'pi####xuwisin.com':80
- 'xu###acaqy.com':80
- 'le####jezociw.com':80
- 'pe###ehywe.com':80
- 'he###ixiru.com':80
UDP:
- DNS ASK si####qilugoq.com
- DNS ASK ci####cuqekexo.com
- DNS ASK bi####qojivu.com
- DNS ASK ci####rijugeg.com
- DNS ASK jy####fyhulora.com
- DNS ASK le###ehup.com
- DNS ASK wi###ypihag.com
- DNS ASK fo####wupode.com
- DNS ASK fe####holubaro.com
- DNS ASK su###ebaq.com
- DNS ASK ku###ulyw.com
- DNS ASK wy####facysyd.com
- DNS ASK xi####xegybozi.com
- DNS ASK ho####mitajy.com
- DNS ASK sy####lurypugi.com
- DNS ASK he###yheduf.com
- DNS ASK zy####wodojyx.com
- DNS ASK ra####bareme.com
- DNS ASK le####jezociw.com
- DNS ASK gi###eceta.com
- DNS ASK ba####naxepo.com
- DNS ASK ti###uqel.com
- DNS ASK qo###ifelaw.com
- DNS ASK mo####xazyby.com
- DNS ASK pi####xuwisin.com
- DNS ASK za####tahuryp.com
- DNS ASK wa####qohuli.com
- DNS ASK le####vasezo.com
- DNS ASK he###ixiru.com
- DNS ASK pe###ehywe.com
- DNS ASK pa####kavygaj.com
- DNS ASK xu###acaqy.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'msascui_class' WindowName: ''
- ClassName: 'Indicator' WindowName: ''