Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\taskhost.exe'
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Modifies file system :
Creates the following files:
- %TEMP%\ish707464\css\main.css
- %TEMP%\ish707464\css\sdk-ui\browse.css
- %TEMP%\ish707464\css\sdk-ui\button.css
- %TEMP%\ish702020\bootstrap_24799.html
- %TEMP%\000ACB78.log
- %TEMP%\ish707464\css\ie6_main.css
- %TEMP%\ish707464\css\sdk-ui\images\progress-bg.png
- %TEMP%\ish707464\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish707464\css\sdk-ui\progress-bar.css
- %TEMP%\ish707464\css\sdk-ui\checkbox.css
- %TEMP%\ish707464\css\sdk-ui\images\button-bg.png
- %TEMP%\ish707464\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish702020\images\loader.gif
- %TEMP%\ish702020\images\Pause_Button.png
- %TEMP%\ish702020\images\progress-bg.png
- %TEMP%\ish702020\images\Grey_Button.png
- %TEMP%\ish702020\images\Grey_Button_Hover.png
- %TEMP%\ish702020\images\icon_generic.png
- %TEMP%\ish702020\images\Resume_Button.png
- %TEMP%\ish702020\locale\EN.locale
- %TEMP%\ish702020\locale\ES.locale
- %TEMP%\ish702020\images\Progress.png
- %TEMP%\ish702020\images\ProgressBar.png
- %TEMP%\ish702020\images\Quick_Specs.png
- %TEMP%\ish707464\csshover3.htc
- %TEMP%\ish707464\images\Resume_Button.png
- %TEMP%\ish707464\locale\EN.locale
- %TEMP%\ish707464\locale\ES.locale
- %TEMP%\ish707464\images\Progress.png
- %TEMP%\ish707464\images\ProgressBar.png
- %TEMP%\ish707464\images\Quick_Specs.png
- %TEMP%\000AD8F0.log
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\virtual-wi-fi-router[1].png
- %TEMP%\000AD69F.log
- %TEMP%\ICReinstall_<Virus name>.exe
- %HOMEPATH%\Desktop\Continue Virtual Wi-Fi Router Installation.lnk
- %TEMP%\ish707464\images\close_hover.png
- %TEMP%\ish707464\images\Color_Button.png
- %TEMP%\ish707464\images\Color_Button_Hover.png
- %TEMP%\ish707464\form.bmp.Mask
- %TEMP%\ish707464\images\bg.png
- %TEMP%\ish707464\images\close.png
- %TEMP%\ish707464\images\loader.gif
- %TEMP%\ish707464\images\Pause_Button.png
- %TEMP%\ish707464\images\progress-bg.png
- %TEMP%\ish707464\images\Grey_Button.png
- %TEMP%\ish707464\images\Grey_Button_Hover.png
- %TEMP%\ish707464\images\icon_generic.png
- %TEMP%\ish700397\images\close_hover.png
- %TEMP%\ish700397\images\Color_Button.png
- %TEMP%\ish700397\images\Color_Button_Hover.png
- %TEMP%\ish700397\form.bmp.Mask
- %TEMP%\ish700397\images\bg.png
- %TEMP%\ish700397\images\close.png
- %TEMP%\ish700397\images\loader.gif
- %TEMP%\ish700397\images\Pause_Button.png
- %TEMP%\ish700397\images\progress-bg.png
- %TEMP%\ish700397\images\Grey_Button.png
- %TEMP%\ish700397\images\Grey_Button_Hover.png
- %TEMP%\ish700397\images\icon_generic.png
- %TEMP%\ish700397\css\sdk-ui\browse.css
- %TEMP%\ish700397\css\sdk-ui\button.css
- %TEMP%\ish700397\css\sdk-ui\checkbox.css
- %TEMP%\000AAFDE.log
- %TEMP%\ish700397\css\ie6_main.css
- %TEMP%\ish700397\css\main.css
- %TEMP%\ish700397\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish700397\css\sdk-ui\progress-bar.css
- %TEMP%\ish700397\csshover3.htc
- %TEMP%\ish700397\css\sdk-ui\images\button-bg.png
- %TEMP%\ish700397\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish700397\css\sdk-ui\images\progress-bg.png
- %TEMP%\ish700397\images\Progress.png
- %TEMP%\ish702020\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish702020\css\sdk-ui\progress-bar.css
- %TEMP%\ish702020\csshover3.htc
- %TEMP%\ish702020\css\sdk-ui\images\button-bg.png
- %TEMP%\ish702020\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish702020\css\sdk-ui\images\progress-bg.png
- %TEMP%\ish702020\images\close_hover.png
- %TEMP%\ish702020\images\Color_Button.png
- %TEMP%\ish702020\images\Color_Button_Hover.png
- %TEMP%\ish702020\form.bmp.Mask
- %TEMP%\ish702020\images\bg.png
- %TEMP%\ish702020\images\close.png
- %TEMP%\ish700397\locale\EN.locale
- %TEMP%\ish700397\locale\ES.locale
- %TEMP%\000AB598.log
- %TEMP%\ish700397\images\ProgressBar.png
- %TEMP%\ish700397\images\Quick_Specs.png
- %TEMP%\ish700397\images\Resume_Button.png
- %TEMP%\ish702020\css\sdk-ui\browse.css
- %TEMP%\ish702020\css\sdk-ui\button.css
- %TEMP%\ish702020\css\sdk-ui\checkbox.css
- %TEMP%\000AB644.log
- %TEMP%\ish702020\css\ie6_main.css
- %TEMP%\ish702020\css\main.css
Deletes the following files:
- %TEMP%\ish700397\images\Pause_Button.png
- %TEMP%\ish700397\images\loader.gif
- %TEMP%\ish700397\images\Progress.png
- %TEMP%\ish700397\images\progress-bg.png
- %TEMP%\ish700397\images\icon_generic.png
- %TEMP%\ish700397\images\Grey_Button.png
- %TEMP%\ish700397\images\Color_Button_Hover.png
- %TEMP%\000AB644.log
- %TEMP%\ish700397\images\Grey_Button_Hover.png
- %TEMP%\ish702020\bootstrap_24799.html
- %TEMP%\000ACB78.log
- %TEMP%\000AD8F0.log
- %TEMP%\000AD69F.log
- %TEMP%\ish700397\locale\ES.locale
- %TEMP%\ish700397\images\Quick_Specs.png
- %TEMP%\ish700397\images\ProgressBar.png
- %TEMP%\ish700397\locale\EN.locale
- %TEMP%\ish700397\images\Resume_Button.png
- %TEMP%\ish700397\css\sdk-ui\checkbox.css
- %TEMP%\ish700397\css\sdk-ui\button.css
- %TEMP%\ish700397\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish700397\css\sdk-ui\images\button-bg.png
- %TEMP%\ish700397\css\sdk-ui\browse.css
- %TEMP%\000AB598.log
- %TEMP%\000AAFDE.log
- %TEMP%\ish700397\css\main.css
- %TEMP%\ish700397\css\ie6_main.css
- %TEMP%\ish700397\images\close.png
- %TEMP%\ish700397\images\bg.png
- %TEMP%\ish700397\images\Color_Button.png
- %TEMP%\ish700397\images\close_hover.png
- %TEMP%\ish700397\form.bmp.Mask
- %TEMP%\ish700397\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish700397\css\sdk-ui\images\progress-bg.png
- %TEMP%\ish700397\csshover3.htc
- %TEMP%\ish700397\css\sdk-ui\progress-bar.css
Network activity:
Connects to:
- 'im#.##todown.net':80
- 'os#.##todowncdn.com':80
- 'dw#.##todown.com':80
- 'localhost':58912
- 'os.###odowncdn.com':80
TCP:
HTTP GET requests:
- im#.##todown.net/icons/virtual-wi-fi-router.png
- dw#.##todown.com/ic/dw/virtual-wi-fi-router-2-0-1-5-en-win.exe
HTTP POST requests:
- os#.##todowncdn.com/UpToDown/?v=################
- os.###odowncdn.com/UpToDown/?v=################
UDP:
- DNS ASK im#.##todown.net
- DNS ASK os#.##todowncdn.com
- DNS ASK os.###odowncdn.com
- DNS ASK dw#.##todown.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'OleMainThreadWndClass' WindowName: ''