Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\software\microsoft\windows\currentversion\run] 'NETUTILS' = '%WINDIR%\8D0EvNoF9SlD.exe'
Creates or modifies the following files
- %HOMEPATH%\start menu\programs\startup\idwn5i89.exe
- %ALLUSERSPROFILE%\start menu\programs\startup\idwn5i89.exegswpyh5lwb.exe
Changes the following executable system files
- <SYSTEM32>\shutdown.exe
Infects the following executable files
- %APPDATA%\icqm\icqsetup.exe
- %TEMP%\downloader.exe
- %HOMEPATH%\my documents\icq_rfrset.exe
- %ProgramFiles%\adobe\reader 10.0\reader\acrord32.exe
- %ProgramFiles%\adobe\reader 10.0\reader\acrord32info.exe
- %ProgramFiles%\aim6\aim6.exe
- %ProgramFiles%\aimpro\aimpro.exe
- %ProgramFiles%\autodown\autodown.exe
- %ProgramFiles%\icq\icq.exe
- %ProgramFiles%\icqlite\icqlite.exe
- %ProgramFiles%\navwnt\navwnt.exe
- %ProgramFiles%\pidgin\gtk\bin\gspawn-win32-helper-console.exe
- %ProgramFiles%\pidgin\gtk\bin\gspawn-win32-helper.exe
- %ProgramFiles%\usdownloader\usdownloader.exe
- %ProgramFiles%\winrar\winrar.exe
- <SYSTEM32>\shutdown.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- System File Checker (SFC)
Modifies file system
Creates the following files
- %WINDIR%\8d0evnof9sld.exe
- %TEMP%\~rgeffere.tmp
- <SYSTEM32>\shutdown.exe.new
- <SYSTEM32>\dllcache\shutdown.exe.new
Sets the 'hidden' attribute to the following files
- %WINDIR%\8d0evnof9sld.exe
- %HOMEPATH%\start menu\programs\startup\idwn5i89.exe
- %ALLUSERSPROFILE%\start menu\programs\startup\idwn5i89.exegswpyh5lwb.exe
Deletes the following files
- %TEMP%\~rgeffere.tmp
Substitutes the following files
- %TEMP%\~rgeffere.tmp
Network activity
Connects to
- '12#.#7.9.247':6667