Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '{759C631F-58B9-AC31-633B-0D69FA2D9B30}' = '%APPDATA%\Roaming\Ezzuco\exfi.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%APPDATA%\Roaming\Ezzuco\exfi.exe'
Executes the following:
- '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
- '<SYSTEM32>\conhost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- '<SYSTEM32>\rundll32.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to virus>"
- '<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"
Injects code into
the following system processes:
- <SYSTEM32>\DllHost.exe
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1406' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'
Modifies file system :
Creates the following files:
- %TEMP%\ppcrlui_3300_2
- %TEMP%\TarC9F3.tmp
- %TEMP%\windrynl.exe
- %WINDIR%\ServiceProfiles\LocalService\Desktop\debug.txt
- %TEMP%\CabC9F2.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml:OECustomProperty
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
- %TEMP%\axbc.exe
- %TEMP%\qxsw.exe
- %TEMP%\fscgss.exe
- %TEMP%\qadv.exe
- %TEMP%\xnmc.exe
- %TEMP%\winhbmiv.exe
- %TEMP%\windlbtl.exe
- %TEMP%\jfulu.exe
- %TEMP%\winveesyp.exe
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\68BF3AFF-00000001.eml
- <LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
- %APPDATA%\Roaming\Ibxe\mifya.awd
- <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
- %TEMP%\tmpd5b9f8ce.bat
- %HOMEPATH%\Desktop\debug.txt
- %TEMP%\mruxdg.exe
- %TEMP%\winnhknl.exe
- %APPDATA%\Roaming\Ezzuco\exfi.exe
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\edb.log
Deletes the following files:
- %TEMP%\jfulu.exe
- %TEMP%\xnmc.exe
- %TEMP%\winhbmiv.exe
- %TEMP%\winveesyp.exe
- %TEMP%\qadv.exe
- %TEMP%\fscgss.exe
- %TEMP%\qxsw.exe
- %TEMP%\axbc.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\config[1].bin
- %TEMP%\CabC9F2.tmp
- %TEMP%\mruxdg.exe
- %TEMP%\winnhknl.exe
- %TEMP%\windrynl.exe
- %TEMP%\windlbtl.exe
- %TEMP%\TarC9F3.tmp
- %TEMP%\ppcrlui_3300_2
Moves the following files:
- from %APPDATA%\Roaming\Ibxe\mifya.awd to %APPDATA%\Roaming\Ibxe\mifya.tmp
- from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log
Deletes itself.
Network activity:
Connects to:
- '72####metgrup.com':80
- 'www.bl#####ecreatives.com':80
- 'www.ce####ogullari.com':80
- '17#.#93.19.14':80
- 'ce###pasa.com':80
- 'ya######cil.ya.funpic.de':80
- 'pe#####el.fm.interia.pl':80
- '20#.#6.232.182':80
- 'pu###hss.com':80
- 'de###int-eg.com':80
- 'su###llie.com':80
- 'ch###stara.com':80
TCP:
HTTP GET requests:
- 72####metgrup.com/images/logosa.gif?a5###########
- www.bl#####ecreatives.com/logos.gif?a5###########
- www.ce####ogullari.com/logof.gif?a5###########
- 17#.#93.19.14/logo.gif?a6###########
- ce###pasa.com/images/logos.gif?a6###########
- ya######cil.ya.funpic.de/images/logos.gif?a5###########
- pe#####el.fm.interia.pl/logos.gif?a4###########
- 20#.#6.232.182/pki/crl/products/CodeSignPCA.crl
- pu###hss.com/images/link/BankofAmerica.Com/config.bin
- de###int-eg.com/images/logosa.gif?a5##########
- su###llie.com/images/logos.gif?a5###########
- ch###stara.com/logof.gif?a4###########
UDP:
- DNS ASK www.bl#####ecreatives.com
- DNS ASK www.ce####ogullari.com
- DNS ASK 72####metgrup.com
- DNS ASK ce###pasa.com
- DNS ASK ya######cil.ya.funpic.de
- DNS ASK de###int-eg.com
- DNS ASK crl.microsoft.com
- DNS ASK pu###hss.com
- DNS ASK pe#####el.fm.interia.pl
- DNS ASK su###llie.com
- DNS ASK ch###stara.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'OutlookExpressHiddenWindow' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'OleMainThreadWndClass' WindowName: '(null)'