Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\stisvc] 'Start' = '00000002'
Substitutes the following executable system files:
- <SYSTEM32>\wiaservc.dll with %TEMP%\30386.exe
Malicious functions:
Executes the following:
- <SYSTEM32>\svchost.exe -k imgsvc
Modifies file system :
Creates the following files:
- %TEMP%\30386.exe
Moves the following system files:
- from <SYSTEM32>\wiaservc.dll to <SYSTEM32>\wiaservc.dll.bak
Network activity:
Connects to:
- '69.##7.132.130':8992