Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'DMB' = '"%HOMEPATH%\Recent\csrss.exe"'
Creates the following files on removable media:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\lsass.exe
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
Modifies file system :
Creates the following files:
- %WINDIR%\ime\tumbs.txt
- %WINDIR%\ime\imjp8_1\tumbs.txt
- %WINDIR%\Help\Tours\WindowsMediaPlayer\tumbs.txt
- %WINDIR%\ime\imejp\tumbs.txt
- %WINDIR%\Microsoft.NET\assembly\GAC_MSIL\tumbs.txt
- %WINDIR%\Microsoft.NET\assembly\GAC_MSIL\System.Core\tumbs.txt
- %WINDIR%\Microsoft.NET\assembly\GAC_MSIL\System.Messaging\tumbs.txt
- %WINDIR%\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\tumbs.txt
- %WINDIR%\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\tumbs.txt
- C:\autorun.inf
- C:\Far2\Plugins\Align\tumbs.txt
- %HOMEPATH%\Recent\csrss.exe
- C:\lsass.exe
- C:\Far2\Plugins\Colorer\hrd\console\tumbs.txt
- <Auxiliary element>
- %WINDIR%\AppPatch\tumbs.txt
- C:\Far2\Plugins\ExtSearch\keys\tumbs.txt
- C:\Far2\Plugins\tumbs.txt
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\lsass.exe
- <Drive name for removable media>:\autorun.inf
- C:\lsass.exe
- C:\autorun.inf
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''