Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '·юОсґшїнµчЅЪ' = '%PROGRAM_FILES%\vinetz\vinetz.exe'
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\vinetz\vinetz.exe
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\popup[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\pw[1].htm
- %PROGRAM_FILES%\vinetz\pw.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\softcount[1]
- %PROGRAM_FILES%\vinetz\vinetz.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\baidu[1]
- %PROGRAM_FILES%\vinetz\bud.dat
Deletes the following files:
- %PROGRAM_FILES%\vinetz\pw.dll
- %PROGRAM_FILES%\vinetz\bud.dat
Network activity:
Connects to:
- 'ad####.uenet.info':80
- 'www.ba##u.com':80
- 'localhost':1036
TCP:
HTTP GET requests:
- ad####.uenet.info/count/softcount/?pw
- ad####.uenet.info/ad/softad/pw.htm
- www.ba##u.com/
- ad####.uenet.info/ad/softad/popup.htm
UDP:
- DNS ASK ad####.uenet.info
- DNS ASK www.ba##u.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''