Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{50E226CF-4943-4D94-9EEE-24BBDF75C7A8}' = 'kkkyfile.dll'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\USERSACH] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\winhelp32] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\winhelp] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%TEMP%\Messenger\setup.exe' 2706
- '<SYSTEM32>\winhelp32.exe'
- '%PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe'
- '<SYSTEM32>\yvspl.exe'
- '%PROGRAM_FILES%\Microsoft.NET\oqprqtvu.exe' lnk nothing
- '<SYSTEM32>\behko.exe'
- '<SYSTEM32>\behko.exe' /service
- '<SYSTEM32>\winhelp.exe'
- '%TEMP%\player010.exe'
- '%TEMP%\002.exe'
- '%TEMP%\ALEXA.exe'
- '%TEMP%\small.exe'
- '%TEMP%\IExplorer.exe'
- '%TEMP%\yoyo1243.exe'
- '%TEMP%\PPS.exe'
Executes the following:
- '<SYSTEM32>\cmd.exe' /c afc9fe2f418b00a0.bat
- '<SYSTEM32>\at.exe' /delete /yes
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://www.73#7.cn/#27062
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\kkkyfile.dll
- '<SYSTEM32>\rundll32.exe' try922.dll , InstallMyDll
- '<SYSTEM32>\net1.exe' start USERSACH
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies settings of Windows Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoInternetIcon' = '00000001'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %HOMEPATH%\Start Menu\Programs\Internet Explorer.lnk
- %ALLUSERSPROFILE%\Start Menu\Internet Explorer.lnk
- %HOMEPATH%\Start Menu\Internet Explorer.lnk
- %HOMEPATH%\Favorites\їб256НшЦ·ґуИ«--ВМЙ«НшЦ·--ЦР№ъЧоЧЁТµµДНшЦ·µјєЅ.url
- %HOMEPATH%\Favorites\ґґТµЧКС¶јУГЛЈ[ґґТµЧКС¶-ЦР№ъґґТµГЕ»§НшХѕ].url
- %ALLUSERSPROFILE%\Start Menu\Programs\Internet Explorer.lnk
- <SYSTEM32>\adorder.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\gt[1].asp
- %PROGRAM_FILES%\Microsoft.NET\oqprqtvu.exe
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
- %HOMEPATH%\Desktop\Internet Explorer.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\gt[1].asp
- %HOMEPATH%\Favorites\РЎУОП·,ФЪПЯРЎУОП·,Л«ИЛРЎУОП·,7k7kРЎУОП·.url
- <SYSTEM32>\Web.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\7357[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\7357[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\lin[1].htm
- %WINDIR%\Temp\Messenger\kbietmp2.ini
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LBMMC3H3\index[1].htm
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\update[1].htm
- %TEMP%\afc9fe2f418b00a0.bat
- %HOMEPATH%\Desktop\7k7kРЎУОП·.lnk
- %TEMP%\usrinit_t.exe
- %TEMP%\3596799a1543bc9f.aqq
- %WINDIR%\Temp\Messenger\adgjn.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ver2[1].txt
- <SYSTEM32>\try922.dll
- <SYSTEM32>\67-105-7163
- %TEMP%\PPS.exe
- %TEMP%\Messenger\ccfapi32.dll
- <SYSTEM32>\kkkyfile.dll
- <SYSTEM32>\dllcache\try922.dll
- %TEMP%\yoyo1243.exe
- %TEMP%\ALEXA.exe
- %TEMP%\player010.exe
- %TEMP%\small.exe
- %TEMP%\IExplorer.exe
- %TEMP%\002.exe
- <SYSTEM32>\winhelp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\_inimac
- <SYSTEM32>\winhelp32.exe
- %PROGRAM_FILES%\Microsoft Office\SYSTEM\08.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\dll[1].aspx
- %WINDIR%\1.tmp
- <SYSTEM32>\mssrcid.ini
- %TEMP%\Messenger\setup.exe
- %TEMP%\Messenger\nvsys.ini
- %TEMP%\Messenger\nvmctray.dll
- %TEMP%\nse4.tmp\System.dll
- %TEMP%\Messenger\sysvc.dat
- %TEMP%\Messenger\sysmain.dat
Sets the 'hidden' attribute to the following files:
- %PROGRAM_FILES%\Microsoft.NET\oqprqtvu.exe
Deletes the following files:
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
- %HOMEPATH%\Desktop\Internet Explorer.lnk
- %HOMEPATH%\Desktop\7k7kРЎУОП·.lnk
- %ALLUSERSPROFILE%\Start Menu\Programs\Internet Explorer.lnk
- %ALLUSERSPROFILE%\Start Menu\Internet Explorer.lnk
- %HOMEPATH%\Start Menu\Internet Explorer.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\7357[1]
- %WINDIR%\1.tmp
- %TEMP%\nse4.tmp\System.dll
- %WINDIR%\winhelp.exe
- %TEMP%\small.exe
- %TEMP%\3596799a1543bc9f.aqq
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\gt[1].asp
Moves the following files:
- from %TEMP%\Messenger\nvsys.ini to <SYSTEM32>\zwtqm.ini
- from %TEMP%\Messenger\sysmain.dat to <SYSTEM32>\yvspl.exe
- from %PROGRAM_FILES%\Microsoft Office\SYSTEM\08.exe to %PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe
- from %TEMP%\Messenger\sysvc.dat to <SYSTEM32>\behko.exe
Network activity:
Connects to:
- 'co####.hao123soso.cn':80
- 'localhost':1062
- 'www.de##a.cn':80
- 'localhost':1065
- 'www.su###qqface.com':80
- 'localhost':1071
- 'www.73#7.cn':80
- 'bb#.#x008.cn':7080
- 'localhost':8389
- 'localhost':1038
- '88#.#43call.cn':80
- 're####e.51edm.net':80
- 'ad.##595.com':80
- 'un###.996116.cn':80
TCP:
HTTP GET requests:
- www.de##a.cn/up/update.htm
- www.de##a.cn/page/gt.asp?ve#############################################################################################
- co####.hao123soso.cn/count/count.asp?sz########################################################################################################################################################################################################
- www.de##a.cn/myconfig/index.htm
- www.73#7.cn/
- www.de##a.cn/page/gt.asp?ve#################################
- un###.996116.cn/dll.aspx?ti########################################################################################################################################################
- 88#.#43call.cn/pw.ini
- un###.996116.cn/ver/ver2.txt
- re####e.51edm.net/geturl.php?q=###################################################################################################################################################################################################################################
- ad.##595.com/count/count.asp?sz####################################################################################################################################################################################################
HTTP POST requests:
- www.su###qqface.com//lin//lin.asp
UDP:
- DNS ASK co####.hao123soso.cn
- DNS ASK www.de##a.cn
- DNS ASK www.su###qqface.com
- DNS ASK www.73#7.cn
- DNS ASK re####e.51edm.net
- DNS ASK 88#.#43call.cn
- DNS ASK bb#.#x008.cn
- DNS ASK ad.##595.com
- DNS ASK un###.996116.cn
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''