Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\Userinit.exe,%TEMP%\svchost.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\ntldr.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
Executes the following:
- '<SYSTEM32>\wscript.exe' "<SYSTEM32>\s4c.vbs"
Modifies file system :
Creates the following files:
- <SYSTEM32>\s4c.vbs
- C:\autorun.inf
- %TEMP%\desktop.ini
- %TEMP%\svchost.exe
- %WINDIR%\sp.htm
Sets the 'hidden' attribute to the following files:
- C:\ntldr.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\ntldr.exe
- %TEMP%\svchost.exe
- %TEMP%\desktop.ini
- C:\autorun.inf
Deletes the following files:
- <SYSTEM32>\s4c.vbs
Network activity:
Connects to:
- 'dl####.dropbox.com':443
- 'wp#d':80
TCP:
HTTP GET requests:
- wp#d/wpad.dat
UDP:
- DNS ASK dl####.dropbox.com
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'