Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WordPress' = 'wscript.exe //B "%TEMP%\WordPress.vbs"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WordPress' = 'wscript.exe //B "%TEMP%\WordPress.vbs"'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\WordPress.vbs
Creates the following files on removable media:
- <Drive name for removable media>:\WordPress.vbs
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' "%TEMP%\WordPress.vbs"
Executes the following:
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\metro-wordpress-themes.jpg
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\2.png
Modifies file system:
Creates the following files:
- %TEMP%\metro-wordpress-themes.jpg
- %TEMP%\WordPress.vbs
- %TEMP%\Requirements.docx
- %TEMP%\2.png
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\WordPress.vbs
Network activity:
Connects to:
- 'ou######mpany1.zapto.org':1001
- 'localhost':1038
UDP:
- DNS ASK ou######mpany1.zapto.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''