Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = '%APPDATA%\Microsoft\Windows\Mose.scr'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Rafferty Filberto Kipper' = '%WINDIR%\Rafferty Filberto Kipper.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Pip' = '%APPDATA%\Pip\Pip.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Gerri' = 'cmd.exe /c %APPDATA%\Gerri\Gerri.Gerri'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Brig' = 'cmd.exe /c %WINDIR%\Brig.Brig'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'AppInit_DLLs' = '%WINDIR%\6e51e47d7fb228fd9b7888a3f04b38a7.dll'
Malicious functions:
Creates and executes the following:
- %APPDATA%\Microsoft\Windows\Mose.scr /s
Executes the following:
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Microsoft\Windows\Mose.scr"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Microsoft\Windows\Mose.scr"
- <SYSTEM32>\reg.exe ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%APPDATA%\Microsoft\Windows\Mose.scr" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Rafferty Filberto Kipper.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Rafferty Filberto Kipper.exe"
- <SYSTEM32>\reg.exe ADD "HKLM\software\microsoft\windows\currentversion\run" /v "Rafferty Filberto Kipper" /t REG_SZ /d "%WINDIR%\Rafferty Filberto Kipper.exe" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Patrice"
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Patrice\Patrice.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Patrice\Patrice.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Patrice"
- <SYSTEM32>\sc.exe create "Patrice" binPath= "%WINDIR%\Patrice\Patrice.exe" start= auto DisplayName= "Brig" description= "Rafferty Filberto Kipper"
- <SYSTEM32>\sc.exe start "Brig"
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Grover Kenon"
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Grover Kenon\Grover Kenon.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Grover Kenon\Grover Kenon.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Grover Kenon"
- <SYSTEM32>\schtasks.exe /create /F /RL HIGHEST /tn "Grover Kenon" /tr "<Full path to virus>" /sc onlogon
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Pip"
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Pip\Pip.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Pip\Pip.exe"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Pip"
- <SYSTEM32>\reg.exe ADD "HKCU\software\microsoft\windows\currentversion\run" /v "Pip" /t REG_SZ /d "%APPDATA%\Pip\Pip.exe" /f
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Gerri"
- <SYSTEM32>\attrib.exe -R -H -S "%APPDATA%\Gerri\Gerri.Gerri"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Gerri\Gerri.Gerri"
- <SYSTEM32>\attrib.exe +R +H +S "%APPDATA%\Gerri"
- <SYSTEM32>\reg.exe ADD "HKCU\software\microsoft\windows\currentversion\run" /v "Gerri" /t REG_SZ /d "cmd.exe /c %APPDATA%\Gerri\Gerri.Gerri" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\Brig.Brig"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\Brig.Brig"
- <SYSTEM32>\reg.exe ADD "HKLM\software\microsoft\windows\currentversion\run" /v "Brig" /t REG_SZ /d "cmd.exe /c %WINDIR%\Brig.Brig" /f
- <SYSTEM32>\attrib.exe -R -H -S "%WINDIR%\6e51e47d7fb228fd9b7888a3f04b38a7.dll"
- <SYSTEM32>\attrib.exe +R +H +S "%WINDIR%\6e51e47d7fb228fd9b7888a3f04b38a7.dll"
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "%WINDIR%\6e51e47d7fb228fd9b7888a3f04b38a7.dll" /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
- <SYSTEM32>\netsh.exe firewall add allowedprogram "<Full path to virus>" "winhttpsvc" ENABLE
- <SYSTEM32>\netsh.exe advfirewall firewall add rule name="winhttpsvc" profile=public,private,domain dir=in action=allow program="<Full path to virus>" enable=yes
- <SYSTEM32>\sc.exe create "Mose" binPath= "<Full path to virus>" start= auto DisplayName= "Brig" description= "Rafferty Filberto Kipper"
- <SYSTEM32>\schtasks.exe /create /F /RL HIGHEST /tn "Rafferty Filberto Kipper" /tr "<Full path to virus>" /sc onlogon
- <SYSTEM32>\netsh.exe firewall set opmode DISABLE
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
- <SYSTEM32>\sc.exe config upnphost start= auto
- <SYSTEM32>\sc.exe config SSDPSRV start= auto
- <SYSTEM32>\sc.exe config browser start= auto
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
- <SYSTEM32>\reg.exe ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
- <SYSTEM32>\reg.exe DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
- <SYSTEM32>\reg.exe DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f
- <SYSTEM32>\reg.exe /s
- <SYSTEM32>\sc.exe /pid=3012
- <SYSTEM32>\sc.exe /s
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\csrss.exe
- <SYSTEM32>\smss.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\services.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\spoolsv.exe
- <SYSTEM32>\ctfmon.exe
- <SYSTEM32>\alg.exe
- <SYSTEM32>\cscript.exe
a large number of user processes.
Terminates or attempts to terminate
the following user processes:
- WebMoney.exe
a large number of user processes.
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:5354'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyOverride' = 'local'
- [<HKLM>\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:8200'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:18559'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:10241'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = '127.0.0.1:7590'
Modifies file system :
Creates the following files:
- %TEMP%\aut1.tmp
- %TEMP%\pc344.rcf
- %APPDATA%\Microsoft\Windows\Mose.scr
- %WINDIR%\Rafferty Filberto Kipper.exe
- %WINDIR%\Patrice\Patrice.exe
- %WINDIR%\Grover Kenon\Grover Kenon.exe
- %APPDATA%\Pip\Pip.exe
- %APPDATA%\Gerri\Gerri.Gerri
- %WINDIR%\Brig.Brig
- %APPDATA%\Rustie.dll
- %WINDIR%\6e51e47d7fb228fd9b7888a3f04b38a7.dll
- %APPDATA%\6e51e47d7fb228fd9b7888a3f04b38a7.QqBdSEPD
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6YQRA29M\iilill[1].htm
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9VSFYPI3\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BX7Q3E69\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\09078P2L\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KLMROPQV\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9VSFYPI3\iilill[1].htm
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\iilill[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\iilill[1].htm
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W32JX7IL\iilill[1].htm
Sets the 'hidden' attribute to the following files:
- %APPDATA%\Microsoft\Windows\Mose.scr
- %WINDIR%\Rafferty Filberto Kipper.exe
- %WINDIR%\Patrice\Patrice.exe
- %WINDIR%\Grover Kenon\Grover Kenon.exe
- %APPDATA%\Pip\Pip.exe
- %APPDATA%\Gerri\Gerri.Gerri
- %WINDIR%\Brig.Brig
- %WINDIR%\6e51e47d7fb228fd9b7888a3f04b38a7.dll
- %APPDATA%\Rustie.dll
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9VSFYPI3\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BX7Q3E69\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\09078P2L\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KLMROPQV\desktop.ini
Deletes the following files:
- %TEMP%\aut1.tmp
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6YQRA29M\iilill[1].htm
Network activity:
Connects to:
- 'localhost':5354
- 'ii##ll.in':80
- 'sp###test.net':80
- 'localhost':8200
- 'localhost':18559
- 'localhost':7590
- 'localhost':10241
TCP:
HTTP GET requests:
- sp###test.net/
HTTP POST requests:
- ii##ll.in/
UDP:
- DNS ASK ii##ll.in
- DNS ASK sp###test.net
- '23#.#55.255.250':1900
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: '' WindowName: 'System Restore'
- ClassName: '' WindowName: 'Registry Editor'
- ClassName: '' WindowName: 'Registry'
- ClassName: '' WindowName: 'RegAlyzer'
- ClassName: '' WindowName: 'RegCool'
- ClassName: '' WindowName: 'System Configuration'
- ClassName: '' WindowName: 'Windows Task Manager'