Technical Information
Malicious functions:
Hides the following processes:
Modifies file system :
Creates the following files:
- %TEMP%\E_N4\eAPI.fne
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\bbs.yurbbs[1]
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\wg[1].html
- %TEMP%\E_N4\krnln.fnr
- %TEMP%\E_N4\xplib.fne
- %TEMP%\E_N4\HtmlView.fne
Network activity:
Connects to:
- 'localhost':1039
- 'www.yu##bs.cn':80
- 'localhost':1035
- 'bb#.#urbbs.cn':80
TCP:
HTTP GET requests:
- bb#.#urbbs.cn/
- bb#.#urbbs.cn/cf/wg.html
UDP:
- DNS ASK www.yu##bs.cn
- DNS ASK bb#.#urbbs.cn
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: 'Microsoft Internet Explorer'