Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\uohmpwai] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\uohmpwai] 'ImagePath' = '<SYSTEM32>\uohmpwai\wyrcjrfv.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\uohmpwai] 'ImagePath' = '<SYSTEM32>\uohmpwai\wyrcjrfv.exe'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\wyrcjrfv.exe
- C:\documents and settings\localservice:.repos
Moves the following files
- from %TEMP%\wyrcjrfv.exe to <SYSTEM32>\uohmpwai\wyrcjrfv.exe
Deletes itself.
Network activity
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK rm##.org
- DNS ASK mx#.##tsolmail.net
- DNS ASK rs##.org
- DNS ASK pl#####.hushmail.com
- DNS ASK hu###ail.com
- DNS ASK ti###linet.it
- DNS ASK ya##o.es
- DNS ASK cu#######-1.in.mailcontrol.com
- DNS ASK bi###anet.com
- DNS ASK ya##o.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK nr##a.org
- DNS ASK mx#.##.correio.biz
- DNS ASK ig.#om.br
- DNS ASK le###.#x.esu.k12.oh.us
- DNS ASK le##a.org
- DNS ASK mx#####.#ail.gm0.yahoodns.net
- DNS ASK na###lth.com
- DNS ASK mx#.##rthlink.net
- DNS ASK ja##ed.org
- DNS ASK lu###nisd.org
- DNS ASK te##con.org
- DNS ASK su###.theirc.org
- DNS ASK sm##.##cureserver.net
- DNS ASK or#####lbuscemis.com
- DNS ASK fr###nmedia.com
- DNS ASK al#####gsmultimedia.com
- DNS ASK mx#.#ail.qq.com
- DNS ASK ya###.com.ph
- DNS ASK fi###r.rmef.org
- DNS ASK ad##am.org
- DNS ASK ro###tmail.com
- DNS ASK mx#.##oadpark.no
- DNS ASK br###park.no
- DNS ASK mx#.##eamhost.com
- DNS ASK pr###ienet.org
- DNS ASK li#e.fr
- DNS ASK ho##ail.it
- DNS ASK m3.##idam.org
- DNS ASK sc###net.org
- DNS ASK et###.#ail.tiscali.it
- DNS ASK ti##ali.it
- DNS ASK st###oelit.net
- DNS ASK mu##o-r.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK ho##ail.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK ku###service.no
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK ka####elverum.no
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK uh#.com
- DNS ASK va######.mail.dreamhost.com
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK ev######.##il.protection.outlook.com
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK ev##.com
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK gm##l.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK mx#.#undo-r.com
- DNS ASK fo##ail.com
- DNS ASK sa###oloimi.com
- DNS ASK xt##du.org
- DNS ASK ma###.##tesasanpaolo.com
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK ya##o.gr
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK ho##ail.fr
- DNS ASK ti##ali.no
- DNS ASK la##oral.no
- DNS ASK ku###kapig.no
- DNS ASK ki##i.no
- DNS ASK sm##.###righettilegnami.it
- DNS ASK gi###ille.org
- DNS ASK pe###epc.com
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK tu####chools.org
- DNS ASK sk##c.org
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ya###.com.mx
- DNS ASK mx.##bhuset.no
- DNS ASK an#####ettilegnami.it
- DNS ASK ma####.corpmailsvcs.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\uohmpwai\wyrcjrfv.exe' /d"<Full path to file>"
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\uohmpwai\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\wyrcjrfv.exe" <SYSTEM32>\uohmpwai\' (with hidden window)
- '<SYSTEM32>\sc.exe' create uohmpwai binPath= "<SYSTEM32>\uohmpwai\wyrcjrfv.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '<SYSTEM32>\sc.exe' description uohmpwai "wifi internet conection"' (with hidden window)
- '<SYSTEM32>\sc.exe' start uohmpwai' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\uohmpwai\
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\wyrcjrfv.exe" <SYSTEM32>\uohmpwai\
- '<SYSTEM32>\sc.exe' create uohmpwai binPath= "<SYSTEM32>\uohmpwai\wyrcjrfv.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '<SYSTEM32>\sc.exe' description uohmpwai "wifi internet conection"
- '<SYSTEM32>\sc.exe' start uohmpwai
- '<SYSTEM32>\svchost.exe'