Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '%USERNAME%' = '%HOMEPATH%\AppData\Roaming\Windows.dll.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\windows.dll.exe
Malicious functions:
Executes the following:
- '<SYSTEM32>\taskkill.exe' /f /IM firefox.exe
- '<SYSTEM32>\taskkill.exe' /f /IM opera.exe
Terminates or attempts to terminate
the following user processes:
- firefox.exe
- opera.exe
Modifies file system:
Creates the following files:
- <LS_APPDATA>\WindowsApplication1\<File name>.exe_Url_vhjf5iwd5kfr4inxqdesdml4dzx0tzde\1.0.0.0\xuygj2pt.newcfg
- %TEMP%\AYMEN--11-23-38.png
- %TEMP%\AYMEN--11-23-38.txt
- <LS_APPDATA>\WindowsApplication1\<File name>.exe_Url_vhjf5iwd5kfr4inxqdesdml4dzx0tzde\1.0.0.0\f11tip4h.newcfg
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\windows.dll.exe
Moves the following files:
- from <LS_APPDATA>\WindowsApplication1\<File name>.exe_Url_vhjf5iwd5kfr4inxqdesdml4dzx0tzde\1.0.0.0\xuygj2pt.newcfg to <LS_APPDATA>\WindowsApplication1\<File name>.exe_Url_vhjf5iwd5kfr4inxqdesdml4dzx0tzde\1.0.0.0\user.config
- from <LS_APPDATA>\WindowsApplication1\<File name>.exe_Url_vhjf5iwd5kfr4inxqdesdml4dzx0tzde\1.0.0.0\f11tip4h.newcfg to <LS_APPDATA>\WindowsApplication1\<File name>.exe_Url_vhjf5iwd5kfr4inxqdesdml4dzx0tzde\1.0.0.0\user.config
Network activity:
Connects to:
- 'sm##.gmail.com':587
UDP:
- DNS ASK sm##.gmail.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
Executes the following:
- '<SYSTEM32>\ipconfig.exe' /all