Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '%ALLUSERSPROFILE%\Application Data\csrss.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'usbhubber' = '<SYSTEM32>\usbhub.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '%WINDIR%\Explorer.exe %WINDIR%\cache\apps\Microsoft\Applications\Ms-office\Ms-Word\Networking\internet\system32\lsass.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe <SYSTEM32>\1036\winlogon.exe'
Creates or modifies the following files:
- %WINDIR%\Tasks\At4.job
- %WINDIR%\Tasks\At5.job
- %WINDIR%\Tasks\At6.job
- %WINDIR%\Tasks\At1.job
- %WINDIR%\Tasks\At2.job
- %WINDIR%\Tasks\At3.job
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\TlntSvr] 'Start' = '00000002'
Creates the following files on removable media:
- <Drive name for removable media>:\VerySecretPics.exe
- <Drive name for removable media>:\DCIM78340.exe
- <Drive name for removable media>:\DCIM36230.exe
- <Drive name for removable media>:\DCIM76670.exe
- <Drive name for removable media>:\DCIM73520.exe
- <Drive name for removable media>:\DCIM97590.exe
- <Drive name for removable media>:\DCIM96320.exe
- <Drive name for removable media>:\DCIM96550.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\DCIM58470.exe
- <Drive name for removable media>:\DCIM54420.exe
- <Drive name for removable media>:\picnic.exe
- <Drive name for removable media>:\typshala.pif
- <Drive name for removable media>:\sexyhot.exe
- <Drive name for removable media>:\DCIM83290.exe
- <Drive name for removable media>:\<Virus name>.exe
- <Drive name for removable media>:\HeadChopped.exe
- <Drive name for removable media>:\Baby_Killed_With_knife.exe
- <Drive name for removable media>:\My_hot_moment.exe
- <Drive name for removable media>:\facebooknewpic.exe
- <Drive name for removable media>:\cybersansarSex.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\tlntsvr.exe' = '<SYSTEM32>\tlntsvr.exe:*:Enabled:iexplorer'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- <SYSTEM32>\iexplorer.exe
- <SYSTEM32>\usbhub.exe
- <SYSTEM32>\iexplorer.exe (downloaded from the Internet)
Executes the following:
- <SYSTEM32>\at.exe /delete /yes
- <SYSTEM32>\at.exe 09:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\mlan.exe
- <SYSTEM32>\netsh.exe firewall set allowedprogram <SYSTEM32>\tskmgr.exe iexplorer enable
- <SYSTEM32>\netsh.exe firewall set allowedprogram <SYSTEM32>\iexplorer.exe iexplorer enable
- <SYSTEM32>\at.exe 10:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\mlan.exe
- <SYSTEM32>\at.exe 04:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\mlan.exe
- <SYSTEM32>\at.exe 02:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\mlan.exe
- <SYSTEM32>\at.exe 08:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\mlan.exe
- <SYSTEM32>\at.exe 05:00 /interactive /EVERY:m,t,w,th,f,s,su <SYSTEM32>\mlan.exe
- <SYSTEM32>\net1.exe localgroup 'remote desktop users' Redbull /add
- <SYSTEM32>\sc.exe config tlntsvr start= auto
- <SYSTEM32>\net1.exe user Redbull 123456789 /add
- <SYSTEM32>\net1.exe localgroup %USERNAME%s Redbull /add
- <SYSTEM32>\netsh.exe firewall set allowedprogram <SYSTEM32>\tlntsvr.exe iexplorer enable
- <SYSTEM32>\regsvr32.exe /s <SYSTEM32>\tlntsvrp.dll
- <SYSTEM32>\netsh.exe firewall set allowedprogram <SYSTEM32>\nc.exe iexplorer enable
- <SYSTEM32>\sc.exe start tlntsvr
- <SYSTEM32>\tlntsvr.exe
Terminates or attempts to terminate
the following user processes:
- AVP.EXE
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Internet Explorer\Main] 'Window Title' = 'Webcat ninja'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
- <SYSTEM32>\tckl.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\minocx[1].tar
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\tckl[1].tar
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\iexplorer[1].tar
- <SYSTEM32>\iexplorer.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\sub7svr[1].tar
- <SYSTEM32>\sub7svr.exe
- <SYSTEM32>\ocx.exe
- <SYSTEM32>\minocx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ocx[1].tar
- %TEMP%\aut1.tmp
- <SYSTEM32>\usbhub.exe
- <SYSTEM32>\mlan.exe
- %WINDIR%\cache\apps\Microsoft\Applications\Ms-office\Ms-Word\Networking\internet\system32\lsass.exe
- <SYSTEM32>\1036\winlogon.exe
- C:\VerySecretPics.exe
- C:\autorun.inf
- C:\<Virus name>.exe
- %ALLUSERSPROFILE%\Application Data\csrss.exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\<Virus name>.exe
- <Drive name for removable media>:\autorun.inf
- C:\<Virus name>.exe
- C:\autorun.inf
Deletes the following files:
- %TEMP%\aut1.tmp
Network activity:
Connects to:
- 'www.si###ame.com':80
TCP:
HTTP GET requests:
- www.si###ame.com/ocx.tar
- www.si###ame.com/sub7svr.tar
- www.si###ame.com/minocx.tar
- www.si###ame.com/iexplorer.tar
- www.si###ame.com/tckl.tar
UDP:
- DNS ASK www.si###ame.com
- '<Private IP address>':1037
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''