Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '.nvsvc' = '%WINDIR%\system\smss.exe /w'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\svchost.exe' = '<SYSTEM32>\svchost.exe:*:Enabled:Microsoft Update'
Executes the following:
- <SYSTEM32>\wbem\wmiadap.exe /R /T
- <SYSTEM32>\alg.exe
- <SYSTEM32>\svchost.exe
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\wbem\Performance\WmiApRpl_new.ini
- %WINDIR%\system\smss.exe
Moves the following files:
- from <SYSTEM32>\wbem\Performance\WmiApRpl_new.ini to <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- from <SYSTEM32>\wbem\Performance\WmiApRpl_new.h to <SYSTEM32>\wbem\Performance\WmiApRpl.h
Network activity:
Connects to:
- 'cu#.#amaner.com':80
UDP:
- DNS ASK cu#.#amaner.com
- '21#.#55.189.85':1900