Technical Information
To ensure autorun and distribution:
Infects the following executable system files:
- <SYSTEM32>\dllcache\wuauclt.exe
- <DRIVERS>\beep.sys
Substitutes the following executable system files:
- <SYSTEM32>\wuauclt.exe with <SYSTEM32>\wuauclt.exe
Malicious functions:
Executes the following:
- <SYSTEM32>\cacls.exe <DRIVERS>\acpidisk.sys /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\npptools.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe %ALLUSERSPROFILE%\ЎёїЄКјЎ№ІЛµҐ\іМРт\Жф¶Ї /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\wanpacket.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\pthreadVC.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\packet.dll /e /p everyone:f
- <SYSTEM32>\cacls.exe <DRIVERS>\npf.sys /e /p everyone:f
- <SYSTEM32>\cacls.exe <SYSTEM32>\wpcap.dll /e /p everyone:f
Terminates or attempts to terminate
the following user processes:
- AVP.EXE
- 360tray.exe
Restores hooked functions in System Service Descriptor Table (SSDT).
Modifies file system :
Sets the 'hidden' attribute to the following files:
- <Full path to virus>
Deletes the following files:
- <SYSTEM32>\mfc71.dll
Moves the following system files:
- from <SYSTEM32>\wuauclt.exe to C:\XEX.temp