Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
- <Drive name for removable media>:\Picture.JPG.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\ip[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\%USERNAME%-USER-4BB09A9C02-[2].html
- %WINDIR%\Windows.Manifest
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ip[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\%USERNAME%-USER-4BB09A9C02-[2].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ip[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ip[4].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\%USERNAME%-USER-4BB09A9C02-[4].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\ip[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\%USERNAME%-USER-4BB09A9C02-[3].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\%USERNAME%-USER-4BB09A9C02-[2].html
- <SYSTEM32>\Bmp2Jpeg.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\%USERNAME%-USER-4BB09A9C02-[1].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\Bmp2Jpeg[1].jpg
- C:\p.sys
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ver[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\ip[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\ULU3YH2D\ip[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\SL6TKFAX\%USERNAME%-USER-4BB09A9C02-[1].html
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\%USERNAME%-USER-4BB09A9C02-[1].html
- %WINDIR%\pc.dat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\ip[1].php
Deletes the following files:
- %WINDIR%\Media\Windows XP Logon Sound.wav
- %WINDIR%\Media\Windows XP Logoff Sound.wav
- %WINDIR%\Media\Windows XP Minimize.wav
- %WINDIR%\Media\Windows XP Menu Command.wav
- %WINDIR%\Media\Windows XP Information Bar.wav
- %WINDIR%\Media\Windows XP Hardware Fail.wav
- %WINDIR%\Media\Windows XP Exclamation.wav
- %WINDIR%\Media\Windows XP Hardware Remove.wav
- %WINDIR%\Media\Windows XP Hardware Insert.wav
- %WINDIR%\Media\Windows XP Notify.wav
- %WINDIR%\Media\Windows XP Shutdown.wav
- %WINDIR%\Media\Windows XP Ringout.wav
- %WINDIR%\Media\Windows XP Startup.wav
- %WINDIR%\Media\Windows XP Start.wav
- %WINDIR%\Media\Windows XP Ringin.wav
- %WINDIR%\Media\Windows XP Print complete.wav
- %WINDIR%\Media\Windows XP Pop-up Blocked.wav
- %WINDIR%\Media\Windows XP Restore.wav
- %WINDIR%\Media\Windows XP Recycle.wav
- %WINDIR%\Media\Windows XP Error.wav
- %WINDIR%\Media\onestop.mid
- %WINDIR%\Media\notify.wav
- %WINDIR%\Media\ringin.wav
- %WINDIR%\Media\recycle.wav
- %WINDIR%\Media\flourish.mid
- C:\p.sys
- %WINDIR%\Media\chimes.wav
- %WINDIR%\Media\ding.wav
- %WINDIR%\Media\chord.wav
- %WINDIR%\Media\ringout.wav
- %WINDIR%\Media\Windows XP Critical Stop.wav
- %WINDIR%\Media\Windows XP Battery Low.wav
- %WINDIR%\Media\Windows XP Ding.wav
- %WINDIR%\Media\Windows XP Default.wav
- %WINDIR%\Media\Windows XP Battery Critical.wav
- %WINDIR%\Media\tada.wav
- %WINDIR%\Media\start.wav
- %WINDIR%\Media\Windows XP Balloon.wav
- %WINDIR%\Media\town.mid
Network activity:
Connects to:
- 'aa###z.co.cc':80
- 'localhost':1034
TCP:
HTTP GET requests:
- aa###z.co.cc/image/command/Administrator-USER-4BB09A9C02-.html?7:##########
- aa###z.co.cc/image/ip.php?us###################################################
- aa###z.co.cc/image/ver.php?7:##########
- aa###z.co.cc/image/Bmp2Jpeg.jpg
UDP:
- DNS ASK aa###z.co.cc
- '10.#.1.1':1035
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''