Technical Information
To ensure autorun and distribution
Creates the following files on removable media
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\sys.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Identities\{D6909BE8-EA09-4677-9635-1238019FCABC}\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Identities\{D6909BE8-EA09-4677-9635-1238019FCABC}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKCU>\Software\Microsoft\IdentityCRL]
- [<HKCU>\Software\Microsoft\Windows Live Mail]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- <LS_APPDATA>\google\chrome\user data\default\web data
- <LS_APPDATA>\google\chrome\user data\default\login data
Modifies file system
Creates the following files
- %APPDATA%\pid.txt
- %APPDATA%\pidloc.txt
- %TEMP%\dw.log
- %TEMP%\140c4d.dmp
- %TEMP%\holderwb.txt
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\sys.exe
Deletes the following files
- %TEMP%\holderwb.txt
Network activity
Connects to
- 'wh#####yipaddress.com':443
- 'fi###.#00webhost.com':21
- 'fi###.#00webhost.com':46856
- 'fi###.#00webhost.com':35221
TCP
HTTP GET requests
- http://wh#####yipaddress.com/
UDP
- DNS ASK wh#####yipaddress.com
- DNS ASK fi###.#00webhost.com
Miscellaneous
Executes the following
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 2056
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /stext "%TEMP%\holdermail.txt"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\vbc.exe' /stext "%TEMP%\holderwb.txt"