Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe <SYSTEM32>\windows\%TEMP%.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe <SYSTEM32>\windows\%TEMP%.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'system32' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'system32' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'HKCU' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'HKLM' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{K485A73S-D0K6-5FOT-4H4A-7K811D1J87YB}] 'StubPath' = '<SYSTEM32>\windows\%TEMP%.exe restart'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'system32' = '<SYSTEM32>\windows\%TEMP%.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'system32' = '<SYSTEM32>\windows\%TEMP%.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %APPDATA%\Microsoft\Windows\qYbnsGMNn.dat
- <SYSTEM32>\windows\%TEMP%.exe
- %APPDATA%\Microsoft\Windows\qYbnsGMNn.cfg
Sets the 'hidden' attribute to the following files:
- %APPDATA%\Microsoft\Windows\qYbnsGMNn.dat
- <SYSTEM32>\windows\%TEMP%.exe
- %APPDATA%\Microsoft\Windows\qYbnsGMNn.cfg
Network activity:
Connects to:
- 'yo####.no-ip.info':81
- 'localhost':1036
UDP:
- DNS ASK yo####.no-ip.info