Technical Information
Malicious functions:
Creates and executes the following:
- "%TEMP%\FunshionInstall_C43423.exe" (downloaded from the Internet)
- "%TEMP%\<Virus name>.exe" (downloaded from the Internet)
Modifies file system :
Creates the following files:
- %HOMEPATH%\Desktop\Гв·СµзУ°.url
- %HOMEPATH%\Desktop\БЅРФНшХѕ.url
- %HOMEPATH%\Desktop\Ч¬З®ЦВё».url
- %TEMP%\FunshionInstall_C43423.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ie[1].exe
- %TEMP%\<Virus name>.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\download[1].php
Network activity:
Connects to:
- 'ne#####.funshion.com':80
- 'dd.###ndown.eu.tv':80
- 'localhost':1037
TCP:
HTTP GET requests:
- ne#####.funshion.com/software/download.php?id######
- dd.###ndown.eu.tv/down/ie.exe
UDP:
- DNS ASK ne#####.funshion.com
- DNS ASK dd.###ndown.eu.tv