Technical Information
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<Full path to virus>' = '<Full path to virus>:*:Enabled:Generic Host Process for Win32 Services'
Modifies file system :
Creates the following files:
- <SYSTEM32>\dl_.txt
- <SYSTEM32>\check.txt
- %WINDIR%\bootf.txt
- %WINDIR%\schlog.txt
Network activity:
Connects to:
- '94.##0.191.201':2525
- 'we#####ghost.narod.ru':80
- '19#.#7.23.111':2525
TCP:
HTTP GET requests:
- we#####ghost.narod.ru/check.txt
UDP:
- DNS ASK sm##.mail.ru
- DNS ASK we#####ghost.narod.ru