Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ctfmon' = 'C:\Files\svchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon' = 'C:\Files\svchost.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\svchost.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall set opmode disable
Modifies file system:
Creates the following files:
- C:\Files\svchost.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\svchost.exe
- C:\Files\svchost.exe
Network activity:
Connects to:
- 'cs#.#etti.info':80
- 'www.wh###smyip.com':80
TCP:
HTTP GET requests:
- http://cs#.#etti.info/
- http://www.wh###smyip.com/automation/n09230945.asp
UDP:
- DNS ASK www.wh###smyip.com
- DNS ASK ra####er.gcn.pp.ua
- DNS ASK cs#.#etti.info
- '72.##5.61.190':27010
- 'ra####er.gcn.pp.ua':60233
- '72.##5.61.136':27010
- '69.##.140.245':27010
- '68.##2.72.250':27010
- '69.##.140.247':27010
- '69.##.158.131':27010
- '69.##.151.162':27010
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''