Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ntlsapi' = '%APPDATA%\Microsoft\ntlsapi32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ntlsapi' = '%APPDATA%\Microsoft\ntlsapi32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339OW-2J09-4501-B2F3-C3508F2941KL}] 'StubPath' = '%APPDATA%\Microsoft\ntlsapi32.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.bat
- <Drive name for removable media>:\autorun.vbs
- <Drive name for removable media>:\USBinit32.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\internet explorer\iexplore.exe' = '%PROGRAM_FILES%\internet explorer\iexplore.exe:*:Enabled:Internet Explorer'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Executes the following:
- <SYSTEM32>\attrib.exe -r -s -h "<Full path to virus>"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\tmp.bat" "
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- %APPDATA%\Microsoft\init.txt
- %TEMP%\tmp.bat
- %APPDATA%\Microsoft\ntlsapi32.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.bat
- <Drive name for removable media>:\autorun.vbs
- <Drive name for removable media>:\USBinit32.exe
- <Drive name for removable media>:\autorun.inf
Deletes the following files:
- %APPDATA%\Microsoft\ntlsapi32.exe
Deletes itself.
Network activity:
Connects to:
- 'go#####.ivedottedya.com':80
- 'yu###.#vepointedya.com':80
- 'cd##.##edottedya.com':80
- '64.##.149.254':80
- '74.##5.232.51':80
TCP:
HTTP GET requests:
- go#####.ivedottedya.com/webyx/settings.cfg?bu#############
- yu###.#vepointedya.com/webyx/remote.php?os#####################################################################################################################
- 64.##.149.254/webyx/?_i########
- cd##.##edottedya.com/webyx/remote.php?os#####################################################################################################################
UDP:
- DNS ASK go#####.ivedottedya.com
- DNS ASK yu###.#vepointedya.com
- DNS ASK sy####.ivepointedya.com
- DNS ASK cd##.##edottedya.com
- DNS ASK www.google.com
- '<Private IP address>':1038
- '<Private IP address>':1037
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''