Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\cacls.exe' "%APPDATA%\19981660" /P "%USERNAME%:R"
- '<SYSTEM32>\cacls.exe' "%APPDATA%\19981660\svchost.exe" /P "%USERNAME%:R"
Modifies file system :
Creates the following files:
- %APPDATA%\19981660\svchost.exe
Deletes the following files:
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini