Technical Information
Malicious functions:
Creates and executes the following:
- %APPDATA%\update-googleAdv.exe
- %WINDIR%\system33.exe
- %WINDIR%\system33.exe (downloaded from the Internet)
Modifies file system :
Creates the following files:
- %APPDATA%\update-googleAdv.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\l0v3ee[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\l0v3ee[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\l0v3ee[1].exe
- %WINDIR%\system33.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\update-googleAdv.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\l0v3ee[1].exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\l0v3ee[1].exe
Network activity:
Connects to:
- 'li##.co.il':80
- 'localhost':1040
- 'localhost':1036
- 'ks#.fm':80
TCP:
HTTP GET requests:
- li##.co.il/blog/wp-content/plugins/root/l0v3ee.exe
- ks#.fm/l0v3ee.exe
UDP:
- DNS ASK li##.co.il
- DNS ASK ks#.fm
- '<Private IP address>':1037