Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe] 'Debugger' = '%WINDIR%\csrss.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\services.exe' %WINDIR%\csrss.exe
- '<SYSTEM32>\svchost.exe' %WINDIR%\csrss.exe
- '%WINDIR%\csrss.exe'
Injects code into
the following system processes:
- <SYSTEM32>\services.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\svchost.exe
Searches for windows to
bypass different anti-viruses:
- ClassName: 'AVP.AlertDialog' WindowName: ''
Modifies file system:
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\g[1].php
- %WINDIR%\csrss.exe
Network activity:
Connects to:
- 'xe###etuo.com':80
TCP:
HTTP GET requests:
- http://xe###etuo.com/m2/g.php
UDP:
- DNS ASK xe###etuo.com