Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %WINDIR%\system.ini
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\amsint32] 'ImagePath' = '<DRIVERS>\hnlifn.sys'
Infects the following executable files
- <Drive name for removable media>:\notepad.exe
- <Drive name for removable media>:\jre-7u75-windows-i586-iftw.exe
- <Drive name for removable media>:\chromesetup.exe
- <Drive name for removable media>:\calc.exe
- <Drive name for removable media>:\tcm851ax32.exe
- %ALLUSERSPROFILE%\application data\adobe\setup\{ac76ba86-7ad7-1033-7b44-aa1000000001}\setup.exe
- %ProgramFiles%\microsoft office\office12\excel.exe
- %ProgramFiles%\microsoft office\office12\winword.exe
- %ProgramFiles%\microsoft office\office12\powerpnt.exe
- %ProgramFiles%\microsoft office\office12\infopath.exe
- %ProgramFiles%\opera\launcher.exe
- %ProgramFiles%\adobe\reader 10.0\reader\acrord32.exe
- %ProgramFiles%\microsoft office\office12\msohtmed.exe
- %ProgramFiles%\Microsoft Office\Office12\OIS.EXE
- %ProgramFiles%\winrar\winrar.exe
Creates the following files on removable media
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\toqms.exe
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to file>' = '<Full path to file>:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks execution of the following system utilities:
- Windows Security Center
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Injects code into
the following system processes:
- <SYSTEM32>\ctfmon.exe
the following user processes:
- firefox.exe
Modifies file system
Creates the following files
- %TEMP%\windsaiot.exe
- %TEMP%\winbrbloe.exe
- <DRIVERS>\hnlifn.sys
- %TEMP%\winehhomd.exe
- amsint32
- %TEMP%\ugrrvw.exe
- C:\autorun.inf
- C:\cubhx.exe
- D:\autorun.inf
- D:\kqkps.exe
Sets the 'hidden' attribute to the following files
- C:\autorun.inf
- C:\cubhx.exe
- D:\autorun.inf
- D:\kqkps.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\toqms.exe
Deletes the following files
- %TEMP%\windsaiot.exe
- %TEMP%\winbrbloe.exe
- <DRIVERS>\hnlifn.sys
- %TEMP%\winehhomd.exe
- %TEMP%\ugrrvw.exe