Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe SVCH0ST.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\SVCH0ST.exe
Malicious functions:
Creates and executes the following:
- <SYSTEM32>\SVCH0ST.exe
- <SYSTEM32>\WINLOG0N.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Server[1].php
- %TEMP%\aut5.tmp
- %TEMP%\aut4.tmp
- <SYSTEM32>\Server.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\Server[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Server[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\Server[1].php
- %TEMP%\aut2.tmp
- %TEMP%\Ot
- %TEMP%\aut1.tmp
- <SYSTEM32>\WINLOG0N.exe
- <SYSTEM32>\autorun.ini
- %TEMP%\aut3.tmp
- <SYSTEM32>\SVCH0ST.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <SYSTEM32>\autorun.ini
- <SYSTEM32>\SVCH0ST.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Server[1].php
- %TEMP%\aut5.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\Server[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\Server[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\Server[2].php
- %TEMP%\aut4.tmp
- %TEMP%\Ot
- %TEMP%\aut1.tmp
- %TEMP%\aut2.tmp
- <Drive name for removable media>:\autorun.inf
- %TEMP%\aut3.tmp
Moves the following files:
- from <SYSTEM32>\SVCH0ST.exe to <SYSTEM32>\SVCH0ST.exe
Network activity:
Connects to:
- 'll##il.net':80
TCP:
HTTP GET requests:
- ll##il.net/Server.php
UDP:
- DNS ASK ll##il.net