Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'dbghuser' = '<SYSTEM32>\deskprop.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\attrib.exe' -r -s -h "<Full path to file>"
- '<SYSTEM32>\cmd.exe' /c ""<Current directory>\236453.bat" "<Full path to file>""
Injects code into
the following system processes:
- <SYSTEM32>\dwwin.exe
the following user processes:
- opera.exe
Modifies file system:
Creates the following files:
- <Current directory>\236453.bat
- <SYSTEM32>\deskprop.exe
Network activity:
Connects to:
- 'co####tution.org':80
- 'localhost':1042
- 'localhost':1037
- 'localhost':1039
TCP:
HTTP GET requests:
- http://co####tution.org/usdeclar.txt
UDP:
- DNS ASK co####tution.org