Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}] 'stubpath' = ''
Malicious functions:
Creates and executes the following:
- <Current directory>\sxe3.tmp
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %WINDIR%\456.asa
- %WINDIR%\fdlaaar.exe
- <Current directory>\sxe3.tmp
- <Current directory>\sxe2.tmp
- <Current directory>\sxe1.tmp
Deletes the following files:
- <Current directory>\sxe3.tmp
- <Current directory>\sxe1.tmp
- <Current directory>\sxe2.tmp
Network activity:
Connects to:
- '<Private IP address>':2000
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''