Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'QZet Agent' = '"%WINDIR%\azup.exe" -agent'
Malicious functions:
Creates and executes the following:
- %WINDIR%\azup.exe -agent
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ag[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ag[1].php
- %WINDIR%\azup.ini
- <Current directory>\azup.ini
- %WINDIR%\azup.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ag[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ag[1].php
Network activity:
Connects to:
- 'qz#t.ru':80
TCP:
HTTP GET requests:
- qz#t.ru/ag.php?lo####
UDP:
- DNS ASK qz#t.ru
- '<Private IP address>':1036
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''