Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RemoteInfection' = '%TEMP%\RemoteINF.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RemoteInfection' = '%TEMP%\RemoteINF.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\RemoteINF.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
Creates and executes the following:
- '%TEMP%\RemoteINF.exe'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\rcmd[1].ini
- %TEMP%\RemoteCommand.ini
- %TEMP%\RemoteINF.exe
- %TEMP%\files\desktop.ini
Sets the 'hidden' attribute to the following files:
- %TEMP%\files\desktop.ini
- <Drive name for removable media>:\RemoteINF.exe
- <Drive name for removable media>:\autorun.inf
Deletes the following files:
- <Drive name for removable media>:\RemoteINF.exe
- <Drive name for removable media>:\autorun.inf
Network activity:
Connects to:
- 'ne#####m.isa-geek.org':80
TCP:
HTTP GET requests:
- ne#####m.isa-geek.org/Files/rcmd.ini
UDP:
- DNS ASK ne#####m.isa-geek.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'