Technical Information
To ensure autorun and distribution:
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\majkl_dzeksn.exe
Malicious functions:
Executes the following:
- <SYSTEM32>\taskkill.exe /F /IM "ICQ*"
- <SYSTEM32>\net1.exe user "%USERNAME%"
- <SYSTEM32>\taskkill.exe /F /IM "qip*"
Terminates or attempts to terminate
the following user processes:
- ICQ.exe
- qip.exe
Modifies file system :
Creates the following files:
- C:\martinka.exe
- C:\autorun.inf
- %HOMEPATH%\Desktop\fotky.exe
- %TEMP%\php4.tmp
- %TEMP%\php1.tmp
- %TEMP%\php2.tmp
- %TEMP%\php3.tmp
Network activity:
Connects to:
- 'sa#####o.okamzite.eu':80
TCP:
HTTP POST requests:
- sa#####o.okamzite.eu/h.php?t=##########
UDP:
- DNS ASK sa#####o.okamzite.eu
- '<Private IP address>':1034
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''