Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '820d8' = '%APPDATA%\941\820d8.js'
Creates or modifies the following files
- %HOMEPATH%\start menu\programs\startup\d14.js
- %APPDATA%\microsoft\windows\start menu\programs\startup\d14.js
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks the following features:
- Windows Security Center
modifies the following system settings:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoControlPanel' = '1'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NofolderOptions' = '1'
Executes WMI operations
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%Virtual HDD%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%VMware%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_ComputerSystem WHERE Manufacturer LIKE "%Parallels%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%Xen%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_SCSIController WHERE Name LIKE "%Citrix%
- IWbemServices::ExecQuery - SELECT * FROM Win32_Process WHERE Name="CaptureClient.exe"
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%Red Hat%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS WHERE Manufacturer LIKE "%QEMU%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%VBOX%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS WHERE Manufacturer LIKE "%innotek%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS WHERE Manufacturer LIKE "%Xen%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor WHERE Name LIKE "%QEMU%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%QEMU%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor WHERE Name LIKE "%Bochs%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_DiskDrive WHERE Model LIKE "%Bochs%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_SCSIController WHERE Manufacturer LIKE "%Xen%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS WHERE Manufacturer LIKE "%Bochs%"
- IWbemServices::ExecQuery - SELECT * FROM Win32_SCSIController WHERE Manufacturer LIKE "%Red Hat%"
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '0'
Modifies file system
Creates the following files
- C:\950\98989
- C:\950\831
- C:\950\830
- C:\950\9c9
- C:\users\all users\start menu\programs\startup\d14.js
- %APPDATA%\941\820d8.js
- %ProgramFiles%\8b1\8a12.js
- %TEMP%\ad8d.js
- C:\950\88
- %TEMP%\70f3
- %TEMP%\b798
Deletes the following files
- %TEMP%\70f3
Network activity
TCP
HTTP POST requests
- http://et##oprc.ru/a/
- http://tt###vpt.info/a/
- http://www.google.com/loc/json
UDP
- DNS ASK et##oprc.ru
- DNS ASK bg##mna.in
- DNS ASK zf###iovh.com
- DNS ASK ct###heuk.info
- DNS ASK wp###sfci.name
- DNS ASK dc###hsbq.net
- DNS ASK iq##nr.se
- DNS ASK fu##rjcu.se
- DNS ASK google.com
- DNS ASK fr###noe.org
- DNS ASK mt###rplwhi.ru
- DNS ASK pr##qd.ru
- DNS ASK ei##wqn.in
- DNS ASK kr##zza.eu
- DNS ASK tb###cfz.name
- DNS ASK ea###vmy.net
- DNS ASK tt###vpt.info
- DNS ASK ll###ofro.eu
- DNS ASK nf###grwf.eu
- DNS ASK yx####jxrjy.name
- DNS ASK il###zqzyb.net
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\wscript.exe' "%TEMP%\ad8d.js"