Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sen' = '%WINDIR%\sen.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'eay' = '%WINDIR%\eay.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\gle.exe
Malicious functions:
Creates and executes the following:
- '%WINDIR%\sen.exe'
- '%WINDIR%\eay.exe'
- '%WINDIR%\eay.exe' (downloaded from the Internet)
Modifies file system :
Creates the following files:
- C:\gle.exe
- C:\autorun.inf
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\whot7YZR[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\whot7YZR[1]
- %WINDIR%\eay.exe
- %WINDIR%\sen.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\whot7YZR[1]
Network activity:
Connects to:
- 'localhost':1039
- 'ea###upload.nl':80
- 'localhost':1036
TCP:
HTTP GET requests:
- ea###upload.nl/f/whot7YZR
UDP:
- DNS ASK ea###upload.nl