Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '<SYSTEM32>\SVSH0ST.EXE'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\lcg.exe
Malicious functions:
Creates and executes the following:
- <SYSTEM32>\temp.exe
- <SYSTEM32>\SVSH0ST.EXE
- <SYSTEM32>\temp.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
- <SYSTEM32>\cmd.exe /c <Current directory>\<Virus name>.bat
- <SYSTEM32>\cmd.exe /c ""<Current directory>\<Virus name>.bat""
- <SYSTEM32>\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V svchost /T REG_SZ /D <SYSTEM32>\SVSH0ST.EXE /F
- <SYSTEM32>\reg.exe add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.ha##23.com /f
- <SYSTEM32>\reg.exe add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- C:\autorun.inf
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\boy[1].exe
- <SYSTEM32>\temp.exe
- C:\lcg.exe
- <SYSTEM32>\SVSH0ST.EXE
- <Current directory>\<Virus name>.bat
- <SYSTEM32>\Autorun.inf
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\lcg.exe
- <Drive name for removable media>:\autorun.inf
- C:\lcg.exe
- C:\autorun.inf
Deletes itself.
Network activity:
Connects to:
- 'us####.nofeehost.com':80
- 'localhost':1036
TCP:
HTTP GET requests:
- us####.nofeehost.com/yulinling/boy.exe
UDP:
- DNS ASK us####.nofeehost.com