Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\autorun.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
Executes the following:
- '%WINDIR%\explorer.exe'
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\Explorer.EXE
Modifies file system :
Moves itself:
- from <Full path to virus> to %TEMP%\tmp296.tmp
Network activity:
Connects to:
- 'wp#d':80
TCP:
HTTP GET requests:
- wp#d/wpad.dat
UDP:
- DNS ASK dl.#####oxusercontent.com
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: '(null)'
- ClassName: 'OleMainThreadWndClass' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'Proxy Desktop' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: 'BaseBar' WindowName: 'ChanApp'