Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Update' = '%APPDATA%\WindowsUpdate.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\Sys.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\holderwb.txt"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext "%TEMP%\holdermail.txt"
- '%ProgramFiles%\Internet Explorer\IEXPLORE.EXE' -nohome
Injects code into
the following system processes:
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Searches for registry branches where third party applications store passwords:
- [<HKCU>\Software\Microsoft\IdentityCRL]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKCU>\Software\Microsoft\Internet Explorer\IntelliForms\Storage2]
- [<HKCU>\Software\Microsoft\Windows Live Mail]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Identities\{5518F2FB-DB74-45A3-BEC1-4575D8D9DC84}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Identities\{5518F2FB-DB74-45A3-BEC1-4575D8D9DC84}\Software\Microsoft\Internet Account Manager\Accounts]
Modifies file system:
Creates the following files:
- %TEMP%\holdermail.txt
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\youtube[1]
- %TEMP%\holderwb.txt
- %APPDATA%\pid.txt
- %APPDATA%\pidloc.txt
- %APPDATA%\WindowsUpdate.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\Sys.exe
- <Drive name for removable media>:\autorun.inf
Deletes the following files:
- %TEMP%\holderwb.txt
- %TEMP%\holdermail.txt
Modifies the HOSTS file.
Network activity:
Connects to:
- 'localhost':1043
- 'www.yo##ube.com':80
- 'sm##.mail.com':587
- 'wp#d':80
- 'wh#####yipaddress.com':80
TCP:
HTTP GET requests:
- http://www.yo##ube.com/
- http://wh#####yipaddress.com/
- http://11#.#11.111.1/wpad.dat via wp#d
UDP:
- DNS ASK sm##.mail.com
- DNS ASK www.yo##ube.com
- DNS ASK wp#d
- DNS ASK wh#####yipaddress.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''